diff --git a/.edk2.metadata b/.edk2.metadata
new file mode 100644
index 0000000..fe107a9
--- /dev/null
+++ b/.edk2.metadata
@@ -0,0 +1,2 @@
+858fffdab12810fb170144ffe1a9c39e9fface80 SOURCES/edk2-e1999b264f1f.tar.xz
+2d79c58e492deec27d4ac583dd9c17a43c840487 SOURCES/openssl-rhel-bdd048e929dcfcf2f046d74e812e0e3d5fc58504.tar.xz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..55f0d70
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/edk2-e1999b264f1f.tar.xz
+SOURCES/openssl-rhel-bdd048e929dcfcf2f046d74e812e0e3d5fc58504.tar.xz
diff --git a/SOURCES/0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch b/SOURCES/0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch
new file mode 100644
index 0000000..78d65ea
--- /dev/null
+++ b/SOURCES/0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch
@@ -0,0 +1,43 @@
+From dca56cf4d28bbbb1d3be029ce9a6710cb3f6cd2f Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Thu, 4 Jun 2020 13:34:12 +0200
+Subject: BaseTools: do not build BrotliCompress (RH only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- no change
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- New patch.
+
+BrotliCompress is not used for building ArmVirtPkg or OvmfPkg platforms.
+It depends on one of the upstream Brotli git submodules that we removed
+earlier in this rebase series. (See patch "remove upstream edk2's Brotli
+submodules (RH only").
+
+Do not attempt to build BrotliCompress.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit db8ccca337e2c5722c1d408d2541cf653d3371a2)
+---
+ BaseTools/Source/C/GNUmakefile | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile
+index 8c191e0c38..3eae824a1c 100644
+--- a/BaseTools/Source/C/GNUmakefile
++++ b/BaseTools/Source/C/GNUmakefile
+@@ -48,7 +48,6 @@ all: makerootdir subdirs
+ LIBRARIES = Common
+ VFRAUTOGEN = VfrCompile/VfrLexer.h
+ APPLICATIONS = \
+- BrotliCompress \
+ VfrCompile \
+ EfiRom \
+ GenFfs \
+--
+2.27.0
+
diff --git a/SOURCES/0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch b/SOURCES/0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch
new file mode 100644
index 0000000..6046944
--- /dev/null
+++ b/SOURCES/0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch
@@ -0,0 +1,49 @@
+From 9729dd1d6b83961d531e29777d0cc4a610b108be Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Thu, 4 Jun 2020 13:39:08 +0200
+Subject: MdeModulePkg: remove package-private Brotli include path (RH only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- no change
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- New patch.
+
+Originating from upstream commit 58802e02c41b
+("MdeModulePkg/BrotliCustomDecompressLib: Make brotli a submodule",
+2020-04-16), "MdeModulePkg/MdeModulePkg.dec" contains a package-internal
+include path into a Brotli submodule.
+
+The edk2 build system requires such include paths to resolve successfully,
+regardless of the firmware platform being built. Because
+BrotliCustomDecompressLib is not consumed by any OvmfPkg or ArmVirtPkg
+platforms, and we've removed the submodule earlier in this patch set,
+remove the include path too.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit e05e0de713c4a2b8adb6ff9809611f222bfe50ed)
+---
+ MdeModulePkg/MdeModulePkg.dec | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
+index 8d38383915..ba2d0290e7 100644
+--- a/MdeModulePkg/MdeModulePkg.dec
++++ b/MdeModulePkg/MdeModulePkg.dec
+@@ -24,9 +24,6 @@
+ [Includes]
+ Include
+
+-[Includes.Common.Private]
+- Library/BrotliCustomDecompressLib/brotli/c/include
+-
+ [LibraryClasses]
+ ## @libraryclass Defines a set of methods to reset whole system.
+ ResetSystemLib|Include/Library/ResetSystemLib.h
+--
+2.27.0
+
diff --git a/SOURCES/0010-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch b/SOURCES/0010-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
new file mode 100644
index 0000000..6fb626e
--- /dev/null
+++ b/SOURCES/0010-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
@@ -0,0 +1,659 @@
+From 8c815e04dda7897899dfa011063f779280cd4d5d Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 11 Jun 2014 23:33:33 +0200
+Subject: advertise OpenSSL on TianoCore splash screen / boot logo (RHEL only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Extend the DSC/FDF change to the new OvmfPkg/AmdSev platform, which has
+ been introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base
+ commit to build encrypted boot specific OVMF", 2020-12-14), for
+ TianoCore#3077.
+
+ We've always patched all those DSC/FDF files in OvmfPkg down-stream that
+ made sense at least in theory on QEMU. (For example, we've always
+ patched "OvmfPkgIa32.dsc" and "OvmfPkgIa32.fdf", even though we never
+ build or ship the pure IA32 firmware platform.) Follow suit with
+ "AmdSevX64.dsc" and "AmdSevX64.fdf".
+
+ "AmdSevX64.dsc" consumes OpenSSL when built with "-D TPM_ENABLE".
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- Replace the open-coded BSDL with "SPDX-License-Identifier:
+ BSD-2-Clause-Patent" in the following files:
+
+ - MdeModulePkg/Logo/Logo-OpenSSL.idf
+ - MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ - MdeModulePkg/Logo/LogoOpenSSLDxe.uni
+
+ (This should have been done in the previous rebase, because the same
+ license block changes had been applied to MdeModulePkg/Logo/ in upstream
+ commit 9d510e61fcee ("MdeModulePkg: Replace BSD License with BSD+Patent
+ License", 2019-04-09), part of tag edk2-stable201905.)
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- trivial context update (performed silently by git-cherry-pick) for
+ upstream commit 3207a872a405 ("OvmfPkg: Update DSC/FDF files to consume
+ CSM components in OvmfPkg", 2019-06-14)
+
+- A note for the future: the logo could change completely in a subsequent
+ rebase. See <https://bugzilla.tianocore.org/show_bug.cgi?id=2050> (in
+ CONFIRMED status at the time of writing).
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- Upstream edk2 removed the obsoleted network drivers in MdeModulePkg. The
+ OvmfPkg platforms were adapted in commit d2f1f6423bd1 ("OvmfPkg: Replace
+ obsoleted network drivers from platform DSC/FDF.", 2018-11-06). The
+ ArmVirtPkg platforms were adapted in commit 9a67ba261fe9 ("ArmVirtPkg:
+ Replace obsoleted network drivers from platform DSC/FDF.", 2018-12-14).
+
+ Consequently, because the NetworkPkg iSCSI driver requires OpenSSL
+ unconditionally, as explained in
+ <https://bugzilla.tianocore.org/show_bug.cgi?id=1278#c3>, this patch now
+ builds LogoOpenSSLDxe unconditionally, squashing and updating previous
+ downstream commits
+
+ - 8e8ea8811e26 advertise OpenSSL on TianoCore splash screen / boot logo
+ (RHEL only)
+ - 02ed2c501cdd advertise OpenSSL due to IPv6 enablement too (RHEL only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- Adapted to upstream 25184ec33c36 ("MdeModulePkg/Logo.idf: Remove
+ incorrect comments.", 2018-02-28)
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- After picking previous downstream-only commit 32192c62e289, carry new
+ upstream commit e01e9ae28250 ("MdeModulePkg/LogoDxe: Add missing
+ dependency gEfiHiiImageExProtocolGuid", 2017-03-16) over to
+ "LogoOpenSSLDxe.inf".
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- For more fun, upstream completely changed the way logo bitmaps are
+ embedded in the firmware binary (see for example commit ab970515d2c6,
+ "OvmfPkg: Use the new LogoDxe driver", 2016-09-26). Therefore in this
+ rebase, we reimplement the previous downstream-only commit e775fb20c999,
+ as described below.
+
+- Beyond the new bitmap file (which we preserve intact from the last
+ downstream branch), we introduce:
+
+ - a new IDF (image description file) referencing the new BMP,
+
+ - a new driver INF file, referencing the new BMP and new IDF (same C
+ source code though),
+
+ - a new UNI (~description) file for the new driver INF file.
+
+- In the OVMF DSC and FDF files, we select the new driver INF for
+ inclusion if either SECURE_BOOT_ENABLE or TLS_ENABLE is set, as they
+ both make use of OpenSSL (although different subsets of it).
+
+- In the AAVMF DSC and FDF files, we only look at SECURE_BOOT_ENABLE,
+ because the ArmVirtQemu platform does not support TLS_ENABLE yet.
+
+- This patch is best displayed with "git show --find-copies-harder".
+
+Notes about the d7c0dfa -> 90bb4c5 rebase:
+
+- squash in the following downstream-only commits (made originally for
+ <https://bugzilla.redhat.com/show_bug.cgi?id=1308678>):
+
+ - eef9eb0 restore TianoCore splash logo without OpenSSL advertisment
+ (RHEL only)
+
+ - 25842f0 OvmfPkg, ArmVirtPkg: show OpenSSL-less logo without Secure
+ Boot (RH only)
+
+ The reason is that ideas keep changing when and where to include the
+ Secure Boot feature, so the logo must be controllable directly on the
+ build command line, from the RPM spec file. See the following
+ references:
+
+ - https://post-office.corp.redhat.com/mailman/private/virt-devel/2016-March/msg00253.html
+ - https://post-office.corp.redhat.com/mailman/private/virt-devel/2016-April/msg00118.html
+ - https://bugzilla.redhat.com/show_bug.cgi?id=1323363
+
+- This squashed variant should remain the final version of this patch.
+
+Notes about the c9e5618 -> b9ffeab rebase:
+- AAVMF gained Secure Boot support, therefore the logo is again modified
+ in the common location, and no FDF changes are necessary.
+
+Notes about the 9ece15a -> c9e5618 rebase:
+- Logo.bmp is no longer modified in-place; instead a modified copy is
+ created. That's because AAVMF includes the logo too, but it doesn't
+ include OpenSSL / Secure Boot, so we need the original copy too.
+
+Because we may include the OpenSSL library in our OVMF and AAVMF builds
+now, we should advertise it as required by its license. This patch takes
+the original TianoCore logo, shifts it up by 20 pixels, and adds the
+horizontally centered message
+
+ This product includes software developed by the OpenSSL Project
+ for use in the OpenSSL Toolkit (http://www.openssl.org/)
+
+below.
+
+Logo-OpenSSL.bmp: PC bitmap, Windows 3.x format, 469 x 111 x 24
+Logo.bmp: PC bitmap, Windows 3.x format, 193 x 58 x 8
+
+Downstream only because upstream edk2 does not intend to release a
+secure-boot-enabled OVMF build. (However the advertising requirement in
+the OpenSSL license,
+"CryptoPkg/Library/OpensslLib/openssl-1.0.2*/LICENSE", has been discussed
+nonetheless, which is why I'm changing the logo.)
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 32192c62e289f261f5ce74acee48e5a94561f10b)
+(cherry picked from commit 33a710cd613c2ca7d534b8401e2f9f2178af05be)
+(cherry picked from commit 0b2d90347cb016cc71c2de62e941a2a4ab0f35a3)
+(cherry picked from commit 8e8ea8811e269cdb31103c70fcd91d2dcfb1755d)
+(cherry picked from commit 727c11ecd9f34990312e14f239e6238693619849)
+(cherry picked from commit 740d239222c2656ae8eeb2d1cc4802ce5b07f3d2)
+(cherry picked from commit cee80878b19e51d9b3c63335c681f152dcc59764)
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 2 +-
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 2 +-
+ ArmVirtPkg/ArmVirtQemuKernel.dsc | 2 +-
+ MdeModulePkg/Logo/Logo-OpenSSL.bmp | Bin 0 -> 156342 bytes
+ MdeModulePkg/Logo/Logo-OpenSSL.idf | 10 +++++
+ MdeModulePkg/Logo/LogoOpenSSLDxe.inf | 56 +++++++++++++++++++++++++++
+ MdeModulePkg/Logo/LogoOpenSSLDxe.uni | 17 ++++++++
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +-
+ OvmfPkg/AmdSev/AmdSevX64.fdf | 2 +-
+ OvmfPkg/OvmfPkgIa32.dsc | 2 +-
+ OvmfPkg/OvmfPkgIa32.fdf | 2 +-
+ OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
+ OvmfPkg/OvmfPkgIa32X64.fdf | 2 +-
+ OvmfPkg/OvmfPkgX64.dsc | 2 +-
+ OvmfPkg/OvmfPkgX64.fdf | 2 +-
+ 15 files changed, 94 insertions(+), 11 deletions(-)
+ create mode 100644 MdeModulePkg/Logo/Logo-OpenSSL.bmp
+ create mode 100644 MdeModulePkg/Logo/Logo-OpenSSL.idf
+ create mode 100644 MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ create mode 100644 MdeModulePkg/Logo/LogoOpenSSLDxe.uni
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 7ef5e7297b..54d637163c 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -433,7 +433,7 @@
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
+ MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
+- MdeModulePkg/Logo/LogoDxe.inf
++ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ MdeModulePkg/Application/UiApp/UiApp.inf {
+ <LibraryClasses>
+ NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 5b1d100575..6cdbfc39be 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -196,7 +196,7 @@ READ_LOCK_STATUS = TRUE
+ #
+ # TianoCore logo (splash screen)
+ #
+- INF MdeModulePkg/Logo/LogoDxe.inf
++ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+
+ #
+ # Ramdisk support
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index a542fcb157..f598ac6a85 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -369,7 +369,7 @@
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
+ MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
+- MdeModulePkg/Logo/LogoDxe.inf
++ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ MdeModulePkg/Application/UiApp/UiApp.inf {
+ <LibraryClasses>
+ NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
+diff --git a/MdeModulePkg/Logo/Logo-OpenSSL.bmp b/MdeModulePkg/Logo/Logo-OpenSSL.bmp
+new file mode 100644
+index 0000000000000000000000000000000000000000..4af5740232ce484a939a5852604e35711ea88a29
+GIT binary patch
+literal 156342
+zcmeI5d(>~$xW~&aw_M64<QfWz7#dP?t3($>NYZ7LkVerMIgB$pYT%5)88Oa?KguvP
+zI4QXdhfYMHh=?MQLQ0BCrP`(4zMRjyzxCbEZ>}}xTJLYa@9y1uKfkf|+RvQxna_OY
+zcg^)(&zft#YrS&!|2yzL>&^VO;olbgyJY?K);pa4*I#cF_W4_@5Lmu^`C8SVd%H7l
+zd)wQ-|NZYj=s^#f&XKk6aIEP)deoyH_4&_#{_lVP`%O39^p&rC<)truY4^x-xPS12
+zA8_cqMVXTbv=CU+PmfmLR(siwJMQ?$KmPI2kAC#jEw6otV@>bT_rCYN4}IuEk9fo*
+z9`Jw%JnwnW`{56N_@4K?r+a)K^O(n6am5v{dey7CMVXTbR1sLyPmgNHR(rvH?sK2t
+z{N^`rdefU$rRBBnaIEP)+Is7)?{~lZ`Iv68#THy*os7a;-tv}T|N7VKug`SBI`Auw
+z>$~3du0Q?hPm32XzWnmb4?g%{15l_rUji4jU;gr!cieHu#TQ?^!wx%KcinZIMHId8
+zg)jW^kAJ*q(W0AgzWJNq{N|IN{Nz{>pwXu-Zb?o%?X;&n<tedLa%?xslom<X-FfGo
+z|N7Uz;zQR$QEQ9?GD3Gi=7I|@pfCK+KmYs#4?Hjq5uDk6`|VNq*T4RC_0?DJzyJQK
+zsC})Wq6;y((@r~m>s#NVBjEGTfBy4FKl;%d-}uI8v#o%s?k`p^WRzo0Z5W`_D6$a?
+zvU$J(2b_EExet8c17m)1nB4m7UiZ3R{Nfi*BE(uTSy+fksx%IV4gTQ|e{hr?Ww-vE
+z=R5~xhBrCvk;!o>!l1&Sj-5fXjcubxvmIcy6SJ0&Z_&>v*L;pTROffdA%`%YZ@cZb
+zGtWE|{#~+UiSoP1LngcKx~odp@_mG9&pr2qcDLDP8zy2n62JT1?|jZjwJsve+I;xK
+zAAazIAN<_sKKHD%&VqxabIv*Ey!XBD-EhMVIrk1f{P45SKHGJ7*<}|lfG>O5%V_KI
+zkAM6}Kl)MV#-$cwyHQ4=NV*F2hx0h2oI=gXkq*en7r*#LxRv|jhdksVSmqi7p`3W)
+ziEeb+vSmN}+0U5OqLfQL(CxO{ZYpgwWM>Lj-}=_KUVr`d?|kPwH`!#9``-7y%$@DN
+z`|iK}?Qi$mYcFXIDioIOXHAIujbYFz!m^E6AoC4xcmv_gBOm$5sDNA?CUW!x)en5&
+z1NWq6{*TsTvak@7jl&TwoN&SkhBV4Et*-cSkBlh=BJ7dh{qA?)Q#kYgpu(Vzd)LOc
+z(W5B_Snb5D<<krM8Rdr0QJ*T%G?&$9Kl|Aaedt5q{N^`bbkRjt=pxTd#b-YA8EUQl
+zKchfbq0T+_*u#B>LCly@%?cI>&^Fp=BPF>?_bNldT>4z)+u#27YhLpjCu>496=n2`
+zq%9Qrwd6<#Fw4C#mkJZQ8rook4H!=ZYf93}YhU|X`v8nwlay>URP*iUKmR$=oUKWC
+z#xtIA)m2wX9#kkS7pA(&sNWa{jUsH?hy^C{fbL08dXidnepD`;;WG1r7rY>5##*sr
+zEnhmd!x1e*1U}EBY@Jh2J@qF)`H3#H?75jc<&;xgiZG}!QU|p`Y->H5Vt~ai6ep&O
+ziu?j?sWp5q^a*LXW3%!1z3+Wi=ps)D$Ti!_YqMY!=;Vzz-e?*niA;_<AJw{W#8P-F
+zCZ+ter#+36>Zd>bsq6mZAOCpR!ye{jO^BwVjDC@{g(AO}9O(dN&p6|Zcf8{rwr>Gm
+zcFayIJX>%P5$iSAT%%;8p_*^Ryf$TlM-$gxd##d#3Wa4GsR>cPF$@|-Shf*_BaS%Y
+z#V>v_F)6o1Zqy1<*`*SIi=M{JSSwbn<x8h_IHKi^H{SS?OD<7Pl&u5c1iZic)vw55
+zPYCS8DxE<E)W+zbHi&JlM^g+iInTa(VydW{U!X0uhR=omt+(FFeX!eo+~Xc+g)Z`x
+zdj8N=)=t4F&^=~kG;gb}a*}(FCaQITC`z4#i;q6~=*up<jJqdTY_rWab6qT>7Jr_#
+zunqzWPDZ&XvQ9U@R%@gK7-TBov5$RhY(g?)l=U={X(e*v{qKMOJMX+xMU94Pz7=gT
+zK$&oWDS9shD0dYK%Z0&iGV0@SZ5T9)uxTR*oS96Nzv30Ih;3ORDn|w6yY9LR^kQbL
+z6)V>ArBgc`(K0eOF`Vtnj50aTeC9KGGQs>99pRF|-5VhxgMk|n=?^N5F(Om!2eGa7
+zXo>+=J27kdxL2Spw;Mhe`W)6csCX6^6$<28Bf(=2BeOOO5d}tDyv8E)+)SNE?coo9
+zcnyeX1RW>8{N*n*xx=HXCqD6sMO`e%SeuE?E3dq=(21rbGd`rlvoE(&)GG2xa@ttO
+zr6V1nB10!Wy0xh|N-zrvx`?j*?Qefmve6K=YCQscrpy44<v6$8atncWoEpM%TfyD5
+zOKl<QH-<r@2>UjIu+>&u@o@F|&wqYw*9uWNDj@g9zr9B=S}P1vR686+b07cs$M@cQ
+zZ)HZA9HQN?fBowS=bd-nQAZucL<BNN<e-BNlK!B=7$Y*peh}MQkER%4wG*?Jk9!5$
+za=YO(`jIg>9U`|p;R#QO1`FiZ(fF4s%Qz?d>Q}#-r%VDGuz30;xx0^0QtBkc5pOzT
+zMP`<n_i+x3u2}-%qy?KI2ieQE8H)@%t3@GJQLXK^+fEA9!X?Qg9Y7gIU_L>$;+{w6
+zH{5W8a%j}gD#>B0jui_kYBW^q5l}N;zx1Uqap~gzJqA9qIjB&8pjwT6)Nc%fMiIts
+zL;~R<E6L(oPAf#^!mHl--`*n_trZ3-svVA^Ip*035tJEaa=!3|FC2E*VF<?^cN{an
+zpZw$}k$H$uzVrtb#u$+)_Ji2gdNjoVtDTs&eB3M0mfH=V(T|M5>A-VBcb3QU(O`l6
+zIy(Q$Di$8xzvx9TA}Aw%VZuw#mk2g_!UjJ+^{G$gxsyS(5TPW~N!DpGeTFqynDq~e
+zAXJM7`Yc8PcUBaz3W6s~uYBbzZP0>Ek#qa)w{yJVBdQ#G?6LfPl+~gTtB}u)3<H!}
+zOgDezBOgJQ@<<0zX6g9rU;p~pgk<J_zx&<qN?y8jDNh()@{*U}8|xq9T7^bKwH~n|
+zXWMPJ?Y8KgL4^VYSF8z9zcvi0+bE*cMlA5;4GMOE>HMf%xC9#(>mO=IFj^}NHV#Lj
+z$@Btox_pQ-IgClIHe-zhH`?@_%%?y7>Aq1LR2XAKO|x%f+vw301FUvp*79+$KwECt
+zeC{#^7{V<qOo9rSOuO{bOX-pOULeo<hfja{(=J^*1?~;O)IW6+y5!tu#Iq31@hO~3
+zI7SRYrl&O{C>ZHYZoc{E-}%mW2voVQLYHuQRNHUA{h)X_hzVlkSY+9jx!LDA1`EGb
+zg#`eGHC15}Sv~sHr#__|W)Fy(d7O&p)Q#&m$2fqIefHUh=5WAXA%F>lD`sK7lE(`y
+z{J8MK3u%RiPAnaZ%DoLWdPG>wn!IQMnYBB|AAh_u2NjH4VWgHU^m~Va>NbjO!~#{A
+zSpxPWk316D`Q5{0$CzeeHqc3g-XmC8h{?gjVK>wY5AiqMbkjm6)bI=vrBw0ib@-RH
+z>Vpax9HXOlwXb12*rVAFu-b`P%g4O}G`rpFb1!2Mze6DWl>m3uET-nfk2AvYC~#)Q
+z#U5^JZ4<b$t--qHc9p*$iO#Qj2f3KD%!onr@|V9{>wkHy#0}}mC!ZV}nnU^RZ+|=Y
+zYqY`)8dJ|u7}r83g1LuKD}xHN?e%Q+dpm0*7JAi`SsW&7f;JaRFUuvrX05PLByDg|
+zAllk@-+iSP<-v;UltS$&%oPYmp6Hm>!3=}Bvb><}5SbEG_RcCSXus>u@z*u6a8AYz
+z7izBaM8PwE{kCWk0uRUH)jPI0Co(scOxLgqhv<*VAC~SFF?CyEOs~<Y{if>z)>P3#
+z!%lISq9!v@kf~Rp)vOg3iexm{mYHq*+~+<gohY|!t!t&VqcB%E2zeG7{rS&-E|$&A
+zRTB%*&a<BNEN1AqDOiZk)nlLW-p=>98SlwjuW6_)6kV?67iuJ#*kP`pX+h-iwYql3
+z<ZvD3hF6+V9#ePS(OC^gfeB*%0MAbg)*WoKr-?u!kO(9Ki9jNd2qXfDKq8O`Bm#**
+zB9I8o3j*^!p))T|r_psDfqQG*va*mB>-vj~g?13`Eld^&4y-;r^w2{Wh%;l|SjUgq
+zSeR08fgx~jjawGs@)w~j^p1arwm`7Cw=h{C-RF%Qyl-TII5XCbb^Mr(g(>wG7y|e1
+zxc%S<KgjCC1qR8yFA-U2{Vn`qvGClFie8IFrjr)%tnm{2=r>hrZ`6<0RHgQodrAoh
+zSgFbiHWu-)l-PgPQu`<dRrqrq-s8s$rTEic{^Z79@#o0g;&op=SNPLN_FA@n!=*+?
+zDB|xddq34N2I_`R4OKfVWC~c?-(29YpLt&li<Eg&*GVUx#G5Nv*-lcX3d@bIN#Fb0
+zQEpq{?RT^o-vc0nH9Vtx4RC7Xw(U%#3-Zc;X2wY7mi8}y`3rA*P?7iitvoODi?70Q
+zk%V}#Vs|Jlk~I(tgDi;yipIBBWO)iq3V&j<{dE;uY%5@@`z!i|LXlG>y9%`-LB*)t
+z0JfJO;vrk<L$v7JBGX9=Xf|GAZ#xK$H|j@gXg1z*&)??qN4GEne;CG_Rv;<Nsuk96
+z_I?zDn>hX;mA~d>btkWqVqn>;_z44NA{74Ak~PcLuen4MjgB<FFE9q`noa{%J1h_i
+zSlZuQ;BSZcQxUM`opT8MStqY4@S8si%Z;u@{HFs43mj<vnAm^aAe)Uw?Op?%#<*=*
+zZge5`RIgdkcTBiiGoIu7gV5yN6#O|1L=bC5IUX!`M+!07a5Y*(9{lzSI@4hi{lSQn
+zgI`w}RIsU{FEKf&Qz$fsM0CCZY>gk{AzSHT(Yy+ZOeZa@tiM7kUSc0hsS^LlI)1XD
+zu-16XJ)ss?51ZxhVqLfPQ4C%L5#O@rx(KctGrRePnv*rlR;al|6OE2EzAq5{Y(Q<b
+zsMA2z4y$63Y=3is8xgLBZjr+pt4A4~kzJb(99~t!i$vfrZfN2kST-89du?!P<F;YB
+z(FJ3LfCF)Qm&l!0GDZd7tn~i(zn}Ni#LOtW3$j)#YPcG!jQRG88kz!==xX$q36^+L
+z%bz*_{7TV!?6u@Vp)n+)^9^7J`C-C`qWNB*tYaaX=)S~0mQp3Yku!d>p|I9?%YE^}
+zI*hok1sdfQXioAP9eoWfIwRRSMNyGoOV%t~-$LOM$wo&S-xsi-ZK$PI=rmA`ep0tc
+z(oF(eLQ9I+7awKdm9>0KkF$k?%PW5P#p+R}`k1bvHXS&GicEk|{j;C_EWrzcevL-$
+zUK^a+xNTT&bm1PqX8y;4XdIcl2P^Puz~BG=_e@jpx6Zr{$@x)m7i6tg)NnOc8T0KG
+zH5A>B=W?T==xX$~`@U03=lt_4MeDKGk_&~#kciGV`a8%E6FwBp_xfZV3#dVMwXaUZ
+z2B;E&W>opzX3-i|8gIELz=^Lxh%fXhj5tY^-q)GakaeP;-TXq$$(m&=SdjggY;>gY
+zeStAh*K``FM#qZo4}NojNb{Iuj$sypfk>ygGmX}wjO9kx1d;aBfx`z$^%@;M!5Lrf
+z+-TJ9wZW;4+lJ*v7h+FwAdY8bDq4Z}&uQj?7ma@66Q6K?6x;<eqg*5#u10HPzP%#L
+zQ()3?FZ#e_HxmwX{`r-n_1L21LZLAvgn()_faOs3GEdRa-JbO3k~#P-fW}Mg?>4>S
+zKTO5P2=S8*6vcPfH{Np3Gm5CmMc8gzP@_&Vq*guth16s=KKiU#cGDILmq<1`()hl>
+z7^rJH4OAO`j``+-dZ#@M60IS}<JIU|G%^J^y!n^Qxjym7CvR!UZ{lw>YFFFf)W&VY
+za-$2er#KLe<3FBAfjbEXm_Akn+3^P3!IK$ly=N;18?Huw#(aAP{le{dE;kyYR_}R)
+zK~7|@Gz{JO`}_*6#~(K+ykd}PdUv1FI93}&LI|j0qrZdv;HGB;nx9CoNRT=BEr8-y
+zt7}9#n2J+f%pdua4HU&^);zX~Gqy})`@0yYpMHAO+;!Jo?Y0FsCxJJh*WPbbRI%qp
+zKFQt>Vbm<Ux`o0el8ugF)~`ZFGk&UL4AeE92C5A|$9!|axFPVI(;w*|iRE~_8eNM<
+zrT~ZUZ!%$LBfO}dN6$(&8g<9p;MB%#!*Zhwb`k*x;#3L49-C4iKYl>=t6%*pub_){
+zCA$l<)_b;6)NnQ0<R*s6gqR~aetU%+8l3_YYW1E+jF8pv`IQJ1UEuzkm!JLHil6$3
+zLL94&At3}*s{t%Uz06a1B0K&3O9+jX?$;cmiN;Ip?>4>SzuFu1i70ta6~A`DdXC=j
+zVqk`4D7>weC&k1#JZWL!jy<uUMxErF8jNEmD0xQD`W_yP*emNer>LuB?XwXz%QkDF
+zYqrr5PP5vlI>ta<(`lgE@N@8+3#<j?Z?p*F7|=WcW9@+^Vd--B$Tqqrh_s&q9InuO
+zW86ldW8TECWTR1cya7&a++w_8xzPnXiGXpYZWzgo=PkF~lEpbpo=D*v-}naPU}ath
+z`n9ip%}ERH0y(v_m7<2LHia<e+bgI|he_=`8vMG-ph5&8b|=ccI>4^wr`@sI7!sJZ
+zwFa<*{1Dw+X))&ZehVNrkKA~Py-jg));`(L`|f%k_;kOEA#2R>F-&>v&SO*N#SDZ6
+zsm0{}`|r=14;<iOB^)7z_z461*{#cMAoJ+84`K9LcGDKRX342_gd$=$o^&x@i%)fo
+zfx4m7MYa1;k_gL~?<w$<@03$cA?9VM@TCT(EHw#0FM5w`t!skF`&og*3*%t~F0rnT
+z%*32u>04_w9-uBbSZj=1wN<lBX`>7F69<S`8Ogv7dVc3J@g`)t#THvwlN$?i$afAx
+zJXj=aXRE3-T(wQ^$8m-+?;He<BY}?J(>NU_jq_;m>nei^@i<1$qui^bsVeoc`^}x+
+zAt9U5S_9ZFKNN>-rH9d?b9*ygx)6j_@o?%-7_>V+olDczYI`!KG(N+W{yf1l#+jPV
+zJb^P$W_x?l+g5L8Z}nPcJXou4jWBREe|v>~4Sro^P+?5R3mxu;`Kr^$KK3!bc3Q)B
+zp7K{7GJLB2)HbE_<iuQ=T@??f{)9o>`RQDmu2$QVk)=!-$B&ZC6D%X0=~bI2aOTPE
+z_%5uv1My(3x-~rK2`X_PQSi){S60inS7?;G_|^RR6>cv1OD?_>7#DK%9=JKrjE8K%
+zc<qSR@(0Y#L-BlgvWhmRt3F+=IYD%Rf0Tqi&J#HEWVZL9^tRQT*;{=~=G<Bv)8aa-
+zlTfd-hdw)=2qXfDKq8O`Bm#**B9I6q0*OE(kO(9Ki9jNd2qXfDKq8O`Bm#**B9I6q
+z0*OE(kO(9Ki9jNd2qXfDKq8O`Bm#**B9I6q0*OE(kO(9Ki9jNd2qXfDKq8O`Bm#**
+zB9I6q0*OE(kO(9Ki9jNd2qXfDKq8O`Bm#**B9I6q0*OE(kO(9Ki9jNd2qXfDKq8O`
+zBm#**B9I6q0*OE(kO(9Ki9jNd2qXfDKq8O`Bm#**B9I6q0*OE(P$0lJ{_>XytO^3f
+zh{|LlkO+)LU{y}MteXgcz}TUddWk?HP#};Dk_fCK0>y~RWFn9Vj77lb-f>49a@bDW
+zvK_w54ib*s{pCdx<x~Ir<7gg#)M1ScwTsR@`}C7e)OOZs|6@4{OP4Oa_R1?RyYPbc
+zhT5$+--ssL_19djJ;F`bU&mfKWG-E@<gUew?^tx3wma{*BMKyygEe<Kg*icB>`+U+
+zL?96;5bzlY?QXxpdau}UJ@!$syxXQ5q73aGyxmqJXzi(}&18)loO{B59Cgxv9?fRK
+zGC6E8Cd>;{dpqxp|BbSes6n+?U4Ch?snnTE?z(I7op-|2i*CK8u_ga<bby^J7Q&qT
+ziV>B`L?96ui-6BS*c0;IaijISoAXhIH_;?CZfvMU{uK+yJwdei7xpya)&%n}p|03g
+zVec{f?S)OK87d(k{zVgdCG2(Zi!3fyChT0}-(|~|8H%-D_{5<Ha3eBxHw&!B4z<)v
+z1QLM)0iT5MDWR^&*Mw_9`6v_rt|I?JzT#r&a#s9HMa_-C-Eb}>vhUWL{rld#LnSaW
+zdl(rV7+DHj1K8kV;$k8`8bucWQk^8VFrw)cWOAsE9fgM<J9r<8$mhZ!wxSe=iM!dP
+zzkCI2L+;e2U4coXRAG-AITXSB)TL3G;*tQ2m?D!L>ChaRR3Q`NWYVa52T-<54&6jk
+z&Cv=uR6zkZFhVQH*dZSr$fT4W(VQxhqq!!O$+t`R2|g(6prEYk>W&aoU2^1)_Qi<G
+zWFn9Vj77jF60B<e?S{bSU(U&q{LA^w#`!Fv*kech3sXP=jSV&Ui*ud{5GV=#y*A$j
+zvyce<i&^&Mvqy)y5fs=%A~XR{5f?98wv-~c+nt4X=mq2}@}lGDV-}V{P2@#gQ830K
+zBkEFwpR`C37D!^5e5jDtMSLW2OzyEKiCOqmb;+SojL;%7MOelZT~i0i#4&Q%C{<sO
+zvBQtLY`Dt)1AFdl9jaiHq|Cza)Wsk=>}i57aDByd`it`*14L?zOuC7O<Up?iP>`Zb
+zMM~LYoFcX8D~-GwJJeDy5l93I1au0qhakki#Jok=YdS`4B>zGjXmW1XHcBB@&gTa6
+zs!05+XpS?VO~e5&U>wSTeIObr16HCJ=3h$T8Xn3K^O7k}fl8n!+7)NPDOiU7AT<=|
+zAg0iv6iR|pQJ^_2tB8suu`CO^6X)`P8r~{yrBQUWrxs@M8M7#08Fr>RnN-mpQ<UNc
+zq=^DVi8ELrX`aOnKQTK3U7)Af!E<nsaazP}?9h<%k<Gs}ho2N-AG0)s9rUS=Sv*96
+z_!m<&jbpGj)#WgIoYW<RDl@KxUooOGnFu5TV-fIq#CawDHQN>fr!>mb@vk@wzKEOR
+zUl^giiGN`YjEEEA6vzVN5F<bqVl?a^Ll%l0QNY`odEuoq@h?SKfKwE5sxH(+5nY2{
+zsD*v<v4DLjTlypc2QFrh49#JLQZ$7gyoPZ~$su3Ni)9?ZAjWY_b@7wdQAUl6oOEaf
+zfgE&@+2fLZkg^&=4GWSXN@RS-INqwFWa_FG{*aFwvPP*Kzz$u2<*BFxs_wHVM_92(
+z2Ytwz9^sxaVb3K^K4?F7sHI*akO&kA_(bBgcjW8%*TU5E51hc-AOg!0X2rkI1QZON
+z5veIE#2{P%(ZCK+344-o4Q$9B>LCf^F!?L~r8=F3M#awb7i(l9P#3zPvj~*JI}jH6
+zvH&a53YyTC%;Eq!I3V;C|9bv`y0Dc<P_9y!4YSy!AzGmqSi?Ouu_F?MQZXVQs7^1?
+zN6mbPH8o0qb+telC(*%4O7RD5vB{o%TBIQupGHN^7^JRyhcznV8_KB3Np2~~CkKD%
+z8p`T5nV97wjVTWsgknTxG7(4w#v<SoiF3^J4@KnbB+6n65lU^38YeuO;#u}Ob+uO}
+zrL*E+g=R1UG$8_os-P0`B|uVe4L9c8M6*YRJ0v^)g{QCpPsth%u%V2@=z{<P_MslA
+z8G}?OhaW*Stb_oYlSwTlR}?O%A?O&ogbnE(eTM<9jDRu~RhMM3en3gwpcNTJUtv3$
+zw53e;Vq5k!M?=a-hiPbx$j*#)o(e9TnWGSK!@{_PGG=3sP(Y0z_^3Pbb0#ZPpHaA{
+zzu*RdGYa81cBrLZB9I6a2>3iAGIIQD!bNZhJgfN!PI&Qb?_NaASq*^_Otm-EAV*Ox
+z71_`i=aOjw!h&w#6gGH-O)`5(2Q@emuc)h1sN`<Kx(5PUL1d36lzLD0@c(#-S!%H%
+zU>V1TtIb}6UZ^3OpwW>AaE8mtNaaDbuBl=~Wik;+1jZuZ^Q{*DihtS9mVXuh#+bL@
+z;@R>q?8C{=X3m9KyurT&nC9F<fP!Zt$|Xw*&UN=wm>PkxLoM|ZfkdD{z-Jwk38Gqf
+zHpah7vXA`BO=$0i5#66E{x$h3ZiRo9qrLf;XpXS1wxOo@H_~pDMZs<UH63%W?JlP<
+zCkPZHDwByoA}|(#IXMHTH!?F*IkZi0J!`HG1jY`v)Jp^sfdT=apgiX0!48uK+ALcj
+zA7!FcG}(x7wMX!#9Mp(UiE6tWu_~F`6WF@-6xLh>iV>B`L?96ui-1pi)&}t0pQmuO
+zjkyJsVOUM<GMP{aPNG(uQqU7BO*JrM;MP-Ea}gLj)KV`INCXN5eA>gmwe@7qN10I9
+zJnQFaaaNa1)QE6v^SRD1_?K{4D-+mj;go%g0uR}&)}73yl*wXNFR*9xaw{yTA~}>Q
+z^yXO{Nm+}UZVorxR_(zZI&Klm=)3wD;a`iFUw_NQw&>0=^=5RKxw+-`m35JqR3^8{
+zrxeR<HJ#WhYSF8<OT~!FWFn9Vj77j_9rFxCzNXr)5Ff0Wd3yzHPQkx~%q;BHCK9)A
+zQGn}t5{MdWV43A`5d=ytLU>A9$jrv$M08l~3*$q$_%GvhQ_IVEC`YEO>5ms|O#*GH
+zA@<#MSL75e(kPl-$q4fcQ$-RIJm=Eod;Hh(Est8h-d+>i#s@Dy=!E5`oxgl>eR>8$
+zM1krkyE^g?$1Xqq%o*w|ezZlY+Pe6vqHrRKSz1RkS|&+b80r0u9crnU2qXdp0zRW)
+z4VIvFX*cGe+#CNEER5O|{0mEpG}#kk+p$8R2n9A4Y0!#FVNzIC)uCM}cn`xyUWQdw
+z3l@f;rKYP((H5Gr$(|rLmcp<mdN*WceBjS9dShygKx7c5d9x5qeCYIYCG^^;jy34A
+z;7VB4trSJ>6r6t4$t%^Y9|aV;zhXpXG7(4w#v<U;Y0l%{IMwSp2Md%I^AE(oS^x)&
+zwfPq{Ht5g%E27k2izosmhpPf4NTz7fi|S}dy@r3`Ww9rJBxWcq*ep6R{-qbRE;lH`
+z2v;wBhQ!sJ_Sh`?h-Iiy3~Qc6fKRnKQ>;g_pi8C^6vkSC$P`*s&}yzMDvEz)yfEm_
+z7UYXRGFxzcmx9L*wbV-l5`h8%pMLP~9LB%3=Wpg;go2x>0+)%o8vF~Zq89m=8Cd=C
+zh%$?Ne>j>DUY1daGYOG@d*ffVC6^rkGL@mInS2bQ<2aW&VtOG?S1le_8es(DS&^Xk
+zFeC9Su_qJ3Y**b-5;U4*`X`oDb(k?0LCujvDP6ka&x@(cq=c!tmw#h`jB%3jM^Y`y
+zNMWHEQJG8x5`nP@_%s{jUojMf0^?{?jOnBWY)-+yFfw#D$iGlCYHW^wp+8SPz>LgA
+zxKk3KPLxHL@UNLv{EI2rc`*KUEoNYRognNj+EU-$99$e9+{IXuxV83N3s#LmE}Hr=
+zBkX(#u{+O;T5Q5ZDS8!$I`eL$EB>Pi6EtMq{Y3^R){eiiLoM|ZfkdD{z$en+`~y)W
+z%9{V}WnN{nM~$enJ^#=f|B6^)w^_x%G{;MG9N{wOK<i8w#Q2)WYbaoUR{YBqMYY&_
+z{sGQaTM#;z83Pyv*j#-<$HWcsnd6{B!qvtvM#?B_A~;&;Wl0Q5M^x*%f*9U*`8UpK
+zK;OMT)>>c$Hz0j310?+`MpPyffka>|0zQid`L~FF3kr@&Y_87uSIrS}iWU{m5(sm_
+zfR~|it^|;>m=rY=;$ZwM{#8isTHt^wHkxpzVUz$GcE%h%7-JSj2s6#sVp|2F;#SzO
+z_ebn31?oCbZO6anda6(t)}~_IlT?l}i>Aj8wbV-l5`h8%pTqEPT<Xx3#lMaCx0rvJ
+zZTvfO{=qRROzP)v^a7gm!!+@u_b@UX%GMkIN^NldLGdq>zaT>uOf~q|a}+cx{*6-y
+z&|I9i^&uz(0##TKvO`&G(L4zNOLoIpRVO~J@vqptTM_#z8o4J%4&iUU|F<}$GMNaB
+zM!@I%$oLm#G0)ZnY{HE2X?u(F15{Z>{>1_l!5E<<Tq+<(2pX33R^wk3;8R^)jD`d{
+zsOl&<)EyuHs;>AqhNaBmwkID7H=H#8LX<@iYMn@?(6@eye;fR3%8nG=%~X!f%J}H9
+zmWqi$A~1=7&)c~bc<96*r?r1Yi|~}mZnpEk%p}10SYXp?1Oiq4EgX!@GebgS887A^
+zplJoOD0mrz9rH8-I^FqS42oN=Z$b0F3c5wy+~Y%S;x9i>v;Ihd(AE6tx!s~}q+095
+zOig9PT5<lDYXhyY;js1yY?1nHRz@ZVRHhPvL|`-mJ`b5LAhvC9DC@;KB0KgL#C=NY
+ztH8EAQWzQkcGo{(ABKfk;X8<uj&xfjD5eO7?)o$FGDSF0RP>`Z>N@_#zD%)aez~YZ
+z5<7N=$qFe%>YSQ?x$AdKia@Aa{8+&j*FV6U`iXy47lw^b&!j*|>&ruzpwW?n*q^?{
+z-{`THiitoXFo}RqBw{_Njg6ab36h;eKpBSh#I6J<;T_3@y*4{uSQY-oD<}^_giK*r
+zE(Z32Kp3w?h?ElWdfvn9e<5ELp{eC-=x`~bme@J2n&9f9Xj--4Xoto`+_4t^U{DA^
+zg<d)aMb=iH4Z;=UP{pbyQ<{k68(BWqf<q~SL)l<esF@#iBeSCqmFow~6Yx6jritP=
+zIiNC?2qXfd5%9SLahPzS+PG<L1ACOAHi)vlnfq*fjDTgx4pM`*@T67+$HcRcBeZKZ
+zswiJZ{4NW)QZy>damB9JKZs<hjwS?6U22J5DI!1CqD8uoCi$`nJFB_K%aq1m#K&U2
+zp{qO67NAAg(`<+U3zGvann1}cnuzlcu`V(di-&tsz$`^<zHD^O%GJ?hEfo`iL|_sD
+zpY8DvD<b(u8RhxoU&X(o!pL0qP=a_?+!y(m*;^(VM3>s5qfIuEVafQ{8IFHZ(DOQ1
+zL2xbpxXzOgb_Q=@TibU<H4QI=o0TO*-c;0CC=^M8Py$ah2~Hi2qC@N)X9Eg86{Qwa
+z6XsudInuQ1dOiWQZmI1n+%B9XIXR#*l?WsPqY?1wr1)2%Zsgo3qYUM>gI`Lgj(=e>
+zMU)Nx<vO9YaXjPljlX-r<pCB}%u85Gl**>~l!_3pH4%7MB!8D7Ym`!#`P^=;NZCbo
+zYOx$bt!NLA<3PMHxQa+n1P7P-kAtlc1qjqsh;qTF)Ya?(MW}frTqQq}wQSO~Vq}Qh
+z(-f*jPBe}T?|02&p|)mY^jJ&9L?98EM8M}fR1&GSE3cmU2gQ#K{<Xtx0jlLuAq36V
+zUD(j5%f*8#)Gf$*unM)>RlEdP#0v4%e#ImMtXlgq`3qxe(=<X&v&d&Ygj$U%Qb4Ch
+zyEZsEpfZ&RBm$!m@L5#M|MmvLD9=g!OGL>XJ#6JYIXtR@d=>u^LP`e(>mc9&@wKiE
+zc&HqAVc`n|ry^h7)I+R9qY#{9VVIYkI8%WpISctWdaR{lB9I77BH$Byb;iFCsAmRr
+zzpp*yt4)&zWELCVdj1!(?!C=-j~1rjIaU)fH~SDS;V>JF?D<v+=r8c!<bcXlB9I7-
+zM!@H`<KN!M7si~!`3J&VJ>c?VD+y4lwj$q2yfy#A(Q6|A(gmX6F3%RUOA>-!_~c7>
+zMvt{rOau~vNd(NlgYhpEjPjh!KVV9MEl;c1khOQTTV%Qv2e=GKpUn9EA$Mer5cK^a
+z0$zgOF7uMf$_Hj(*NETbfXY-NkO+)Mz-Ku8OK1r*D%6!w>``Ws028(CB@lz_AM`0q
+zf7)`qfCKTHn1c<ucMDcvF&WReh=>Vw*|W7Di!H#8j2>&Lm<S{SlL+{H9vT16-}+yB
+zlERvWz~q3+R3eZFj7GqxI<X{ws@vXB9;s%tDXjGfj2>&Lm<S{SlL(j{SPiDtvf8t>
+z3nA`FS~-P8zz9qZs7xgSiNI(Cd=~L6i)U-?&B`ex0!Co;SWCr3AQ6~Ez-LjxzeQ5K
+zY~>UZ0V6OupfZ&RBm$!m@L9z4LO1x0ER1aB6cPa=FnX+|Vj_?TOd{a3C{nG6SUEA@
+z$|)oQMqqM4WhxO!1V$s^v#1gOnu4vILLy)UMvt{rOau~vNd$ZrnPj`O5YDl33W<Ob
+zm>f`<N(2&t(Fph~>WzQnL<F*xQ%D4i!054-iitoXFo}TAq9XoPvdFY@3W<Obm>f`<
+zN(2&t(Fph~a{Oz~wUF}<Mk$3Z0;9)TDkcJnz$5}bog&*t+2l*6l~YIrjKJi8%2Xnd
+z2#iL+XOZJy6K+?qateun5g0wzQZW%o1SS#iS(Go<F%&7x3W3Q1m8nD^5g3iYtj@Gl
+zP6WCLj2>&Lm<S{SlL&NAr_4zNW`)4yfXY-NkO+)MU{+^ZDklP61V)dwRJ=D3_<z$H
+BLUI5A
+
+literal 0
+HcmV?d00001
+
+diff --git a/MdeModulePkg/Logo/Logo-OpenSSL.idf b/MdeModulePkg/Logo/Logo-OpenSSL.idf
+new file mode 100644
+index 0000000000..2a60ac61b7
+--- /dev/null
++++ b/MdeModulePkg/Logo/Logo-OpenSSL.idf
+@@ -0,0 +1,10 @@
++// /** @file
++// Platform Logo image definition file.
++//
++// Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
++//
++// SPDX-License-Identifier: BSD-2-Clause-Patent
++//
++// **/
++
++#image IMG_LOGO Logo-OpenSSL.bmp
+diff --git a/MdeModulePkg/Logo/LogoOpenSSLDxe.inf b/MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+new file mode 100644
+index 0000000000..d1207663b2
+--- /dev/null
++++ b/MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+@@ -0,0 +1,56 @@
++## @file
++# The default logo bitmap picture shown on setup screen.
++#
++# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
++#
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++#
++#
++##
++
++[Defines]
++ INF_VERSION = 0x00010005
++ BASE_NAME = LogoOpenSSLDxe
++ MODULE_UNI_FILE = LogoOpenSSLDxe.uni
++ FILE_GUID = 9CAE7B89-D48D-4D68-BBC4-4C0F1D48CDFF
++ MODULE_TYPE = DXE_DRIVER
++ VERSION_STRING = 1.0
++
++ ENTRY_POINT = InitializeLogo
++#
++# This flag specifies whether HII resource section is generated into PE image.
++#
++ UEFI_HII_RESOURCE_SECTION = TRUE
++
++#
++# The following information is for reference only and not required by the build tools.
++#
++# VALID_ARCHITECTURES = IA32 X64
++#
++
++[Sources]
++ Logo-OpenSSL.bmp
++ Logo.c
++ Logo-OpenSSL.idf
++
++[Packages]
++ MdeModulePkg/MdeModulePkg.dec
++ MdePkg/MdePkg.dec
++
++[LibraryClasses]
++ UefiBootServicesTableLib
++ UefiDriverEntryPoint
++ DebugLib
++
++[Protocols]
++ gEfiHiiDatabaseProtocolGuid ## CONSUMES
++ gEfiHiiImageExProtocolGuid ## CONSUMES
++ gEfiHiiPackageListProtocolGuid ## PRODUCES CONSUMES
++ gEdkiiPlatformLogoProtocolGuid ## PRODUCES
++
++[Depex]
++ gEfiHiiDatabaseProtocolGuid AND
++ gEfiHiiImageExProtocolGuid
++
++[UserExtensions.TianoCore."ExtraFiles"]
++ LogoDxeExtra.uni
+diff --git a/MdeModulePkg/Logo/LogoOpenSSLDxe.uni b/MdeModulePkg/Logo/LogoOpenSSLDxe.uni
+new file mode 100644
+index 0000000000..6439502b6a
+--- /dev/null
++++ b/MdeModulePkg/Logo/LogoOpenSSLDxe.uni
+@@ -0,0 +1,17 @@
++// /** @file
++// The logo bitmap picture (with OpenSSL advertisment) shown on setup screen.
++//
++// This module provides the logo bitmap picture (with OpenSSL advertisment)
++// shown on setup screen, through EDKII Platform Logo protocol.
++//
++// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
++//
++// SPDX-License-Identifier: BSD-2-Clause-Patent
++//
++// **/
++
++
++#string STR_MODULE_ABSTRACT #language en-US "Provides the logo bitmap picture (with OpenSSL advertisment) shown on setup screen."
++
++#string STR_MODULE_DESCRIPTION #language en-US "This module provides the logo bitmap picture (with OpenSSL advertisment) shown on setup screen, through EDKII Platform Logo protocol."
++
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 66bbbc80cd..52bcae6cf6 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -688,7 +688,7 @@
+ PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
+ MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
+ MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
+- MdeModulePkg/Logo/LogoDxe.inf
++ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ MdeModulePkg/Application/UiApp/UiApp.inf {
+ <LibraryClasses>
+ NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index dd0030dbf1..fa5e484e63 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -279,7 +279,7 @@ INF OvmfPkg/AmdSev/Grub/Grub.inf
+ INF ShellPkg/Application/Shell/Shell.inf
+ !endif
+
+-INF MdeModulePkg/Logo/LogoDxe.inf
++INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+
+ #
+ # Usb Support
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 33fbd76790..d8f03caa30 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -777,7 +777,7 @@
+ NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf
+ !endif
+ }
+- MdeModulePkg/Logo/LogoDxe.inf
++ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ MdeModulePkg/Application/UiApp/UiApp.inf {
+ <LibraryClasses>
+ NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index b3c8b56f3b..e3b1d74ce2 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -300,7 +300,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ INF ShellPkg/Application/Shell/Shell.inf
+
+-INF MdeModulePkg/Logo/LogoDxe.inf
++INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+
+ #
+ # Network modules
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index b13e5cfd90..312577ebae 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -791,7 +791,7 @@
+ NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf
+ !endif
+ }
+- MdeModulePkg/Logo/LogoDxe.inf
++ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ MdeModulePkg/Application/UiApp/UiApp.inf {
+ <LibraryClasses>
+ NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 86592c2364..f7732382d4 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -301,7 +301,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ INF ShellPkg/Application/Shell/Shell.inf
+
+-INF MdeModulePkg/Logo/LogoDxe.inf
++INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+
+ #
+ # Network modules
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 999738dc39..d72a00e6b4 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -789,7 +789,7 @@
+ NULL|OvmfPkg/Csm/LegacyBootManagerLib/LegacyBootManagerLib.inf
+ !endif
+ }
+- MdeModulePkg/Logo/LogoDxe.inf
++ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ MdeModulePkg/Application/UiApp/UiApp.inf {
+ <LibraryClasses>
+ NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index d6be798fca..137ed6bceb 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -313,7 +313,7 @@ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ INF ShellPkg/Application/Shell/Shell.inf
+
+-INF MdeModulePkg/Logo/LogoDxe.inf
++INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+
+ #
+ # Network modules
+--
+2.27.0
+
diff --git a/SOURCES/0011-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch b/SOURCES/0011-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
new file mode 100644
index 0000000..ad9dd72
--- /dev/null
+++ b/SOURCES/0011-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
@@ -0,0 +1,82 @@
+From ed975a4db7c55e49ab9de1a0919baafdce9661e3 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Thu, 20 Feb 2014 22:54:45 +0100
+Subject: OvmfPkg: increase max debug message length to 512 (RHEL only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- no change
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- no change
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- trivial context difference due to upstream commit 2fe5f2f52918
+ ("OvmfPkg/PlatformDebugLibIoPort: Add new APIs", 2019-04-02), resolved
+ by git-cherry-pick automatically
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no changes
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+Upstream prefers short debug messages (sometimes even limited to 80
+characters), but any line length under 512 characters is just unsuitable
+for effective debugging. (For example, config strings in HII routing,
+logged by the platform driver "OvmfPkg/PlatformDxe" on DEBUG_VERBOSE
+level, can be several hundred characters long.) 512 is an empirically good
+value.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit bfe568d18dba15602604f155982e3b73add63dfb)
+(cherry picked from commit 29435a32ec9428720c74c454ce9817662e601fb6)
+(cherry picked from commit 58e1d1ebb78bfdaf05f4c6e8abf8d4908dfa038a)
+(cherry picked from commit 1df2c822c996ad767f2f45570ab2686458f7604a)
+(cherry picked from commit 22c9b4e971c70c69b4adf8eb93133824ccb6426a)
+(cherry picked from commit a1260c9122c95bcbef1efc5eebe11902767813c2)
+(cherry picked from commit e949bab1268f83f0f5815a96cd1cb9dd3b21bfb5)
+(cherry picked from commit a95cff0b9573bf23699551beb4786383f697ff1e)
+---
+ OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
+index dffb20822d..0577c43c3d 100644
+--- a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
++++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
+@@ -21,7 +21,7 @@
+ //
+ // Define the maximum debug and assert message length that this library supports
+ //
+-#define MAX_DEBUG_MESSAGE_LENGTH 0x100
++#define MAX_DEBUG_MESSAGE_LENGTH 0x200
+
+ //
+ // VA_LIST can not initialize to NULL for all compiler, so we use this to
+--
+2.27.0
+
diff --git a/SOURCES/0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch b/SOURCES/0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
new file mode 100644
index 0000000..73d2995
--- /dev/null
+++ b/SOURCES/0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
@@ -0,0 +1,168 @@
+From 6901201d2cd1d943ebd41f3d65102f787540d3c4 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 25 Feb 2014 18:40:35 +0100
+Subject: MdeModulePkg: TerminalDxe: add other text resolutions (RHEL only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- no change
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- no changes
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- no changes
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no change
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- update commit message as requested in
+ <https://bugzilla.redhat.com/show_bug.cgi?id=1503316#c0>
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- adapt commit 0bc77c63de03 (code and commit message) to upstream commit
+ 390b95a49c14 ("MdeModulePkg/TerminalDxe: Refine
+ InitializeTerminalConsoleTextMode", 2017-01-10).
+
+When the console output is multiplexed to several devices by
+ConSplitterDxe, then ConSplitterDxe builds an intersection of text modes
+supported by all console output devices.
+
+Two notable output devices are provided by:
+(1) MdeModulePkg/Universal/Console/GraphicsConsoleDxe,
+(2) MdeModulePkg/Universal/Console/TerminalDxe.
+
+GraphicsConsoleDxe supports four modes at most -- see
+InitializeGraphicsConsoleTextMode() and "mGraphicsConsoleModeData":
+
+(1a) 80x25 (required by the UEFI spec as mode 0),
+(1b) 80x50 (not necessarily supported, but if it is, then the UEFI spec
+ requires the driver to provide it as mode 1),
+(1c) 100x31 (corresponding to graphics resolution 800x600, which the UEFI
+ spec requires from all plug-in graphics devices),
+(1d) "full screen" resolution, derived form the underlying GOP's
+ horizontal and vertical resolutions with division by EFI_GLYPH_WIDTH
+ (8) and EFI_GLYPH_HEIGHT (19), respectively.
+
+The automatic "full screen resolution" makes GraphicsConsoleDxe's
+character console very flexible. However, TerminalDxe (which runs on
+serial ports) only provides the following fixed resolutions -- see
+InitializeTerminalConsoleTextMode() and "mTerminalConsoleModeData":
+
+(2a) 80x25 (required by the UEFI spec as mode 0),
+(2b) 80x50 (since the character resolution of a serial device cannot be
+ interrogated easily, this is added unconditionally as mode 1),
+(2c) 100x31 (since the character resolution of a serial device cannot be
+ interrogated easily, this is added unconditionally as mode 2).
+
+When ConSplitterDxe combines (1) and (2), multiplexing console output to
+both video output and serial terminal, the list of commonly supported text
+modes (ie. the "intersection") comprises:
+
+(3a) 80x25, unconditionally, from (1a) and (2a),
+(3b) 80x50, if the graphics console provides at least 640x950 pixel
+ resolution, from (1b) and (2b)
+(3c) 100x31, if the graphics device is a plug-in one (because in that case
+ 800x600 is a mandated pixel resolution), from (1c) and (2c).
+
+Unfortunately, the "full screen resolution" (1d) of the GOP-based text
+console is not available in general.
+
+Mitigate this problem by extending "mTerminalConsoleModeData" with a
+handful of text resolutions that are derived from widespread maximal pixel
+resolutions. This way TerminalDxe won't cause ConSplitterDxe to filter out
+the most frequent (1d) values from the intersection, and eg. the MODE
+command in the UEFI shell will offer the "best" (ie. full screen)
+resolution too.
+
+Upstreaming efforts for this patch have been discontinued; it was clear
+from the off-list thread that consensus was impossible to reach.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 99dc3720ac86059f60156197328cc433603c536e)
+(cherry picked from commit d2066c1748f885043026c51dec1bc8d6d406ae8f)
+(cherry picked from commit 1facdd58e946c584a3dc1e5be8f2f837b5a7c621)
+(cherry picked from commit 28faeb5f94b4866b9da16cf2a1e4e0fc09a26e37)
+(cherry picked from commit 4e4e15b80a5b2103eadd495ef4a830d46dd4ed51)
+(cherry picked from commit 12cb13a1da913912bd9148ce8f2353a75be77f18)
+(cherry picked from commit 82b9edc5fef3a07227a45059bbe821af7b9abd69)
+---
+ .../Universal/Console/TerminalDxe/Terminal.c | 41 +++++++++++++++++--
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
+index a98b690c8b..ded5513c74 100644
+--- a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
++++ b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
+@@ -115,9 +115,44 @@ TERMINAL_DEV mTerminalDevTemplate = {
+ };
+
+ TERMINAL_CONSOLE_MODE_DATA mTerminalConsoleModeData[] = {
+- {80, 25},
+- {80, 50},
+- {100, 31},
++ { 80, 25 }, // from graphics resolution 640 x 480
++ { 80, 50 }, // from graphics resolution 640 x 960
++ { 100, 25 }, // from graphics resolution 800 x 480
++ { 100, 31 }, // from graphics resolution 800 x 600
++ { 104, 32 }, // from graphics resolution 832 x 624
++ { 120, 33 }, // from graphics resolution 960 x 640
++ { 128, 31 }, // from graphics resolution 1024 x 600
++ { 128, 40 }, // from graphics resolution 1024 x 768
++ { 144, 45 }, // from graphics resolution 1152 x 864
++ { 144, 45 }, // from graphics resolution 1152 x 870
++ { 160, 37 }, // from graphics resolution 1280 x 720
++ { 160, 40 }, // from graphics resolution 1280 x 760
++ { 160, 40 }, // from graphics resolution 1280 x 768
++ { 160, 42 }, // from graphics resolution 1280 x 800
++ { 160, 50 }, // from graphics resolution 1280 x 960
++ { 160, 53 }, // from graphics resolution 1280 x 1024
++ { 170, 40 }, // from graphics resolution 1360 x 768
++ { 170, 40 }, // from graphics resolution 1366 x 768
++ { 175, 55 }, // from graphics resolution 1400 x 1050
++ { 180, 47 }, // from graphics resolution 1440 x 900
++ { 200, 47 }, // from graphics resolution 1600 x 900
++ { 200, 63 }, // from graphics resolution 1600 x 1200
++ { 210, 55 }, // from graphics resolution 1680 x 1050
++ { 240, 56 }, // from graphics resolution 1920 x 1080
++ { 240, 63 }, // from graphics resolution 1920 x 1200
++ { 240, 75 }, // from graphics resolution 1920 x 1440
++ { 250, 105 }, // from graphics resolution 2000 x 2000
++ { 256, 80 }, // from graphics resolution 2048 x 1536
++ { 256, 107 }, // from graphics resolution 2048 x 2048
++ { 320, 75 }, // from graphics resolution 2560 x 1440
++ { 320, 84 }, // from graphics resolution 2560 x 1600
++ { 320, 107 }, // from graphics resolution 2560 x 2048
++ { 350, 110 }, // from graphics resolution 2800 x 2100
++ { 400, 126 }, // from graphics resolution 3200 x 2400
++ { 480, 113 }, // from graphics resolution 3840 x 2160
++ { 512, 113 }, // from graphics resolution 4096 x 2160
++ { 960, 227 }, // from graphics resolution 7680 x 4320
++ { 1024, 227 }, // from graphics resolution 8192 x 4320
+ //
+ // New modes can be added here.
+ //
+--
+2.27.0
+
diff --git a/SOURCES/0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch b/SOURCES/0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
new file mode 100644
index 0000000..5fe8ff6
--- /dev/null
+++ b/SOURCES/0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
@@ -0,0 +1,181 @@
+From 9485b38e5dbfd2e23ea6ad0585e773d7842a1903 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 25 Feb 2014 22:40:01 +0100
+Subject: MdeModulePkg: TerminalDxe: set xterm resolution on mode change (RH
+ only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Resolve harmless conflict in "MdeModulePkg/MdeModulePkg.dec",
+ originating from new upstream commits
+ - 45bc28172fbf ("MdeModulePkg.dec: Change PCDs for status code.",
+ 2020-06-18),
+ - 0785c619a58a ("MdeModulePkg/Bus/Pci/PciBusDxe: Support PCIe Resizable
+ BAR Capability", 2021-01-04),
+ - ef23012e5439 ("MdeModulePkg: Change default value of
+ PcdPcieResizableBarSupport to FALSE", 2021-01-14).
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- Resolve trivial conflict in "MdeModulePkg/MdeModulePkg.dec", arising
+ from upstream commit 166830d8f7ca ("MdeModulePkg/dec: add
+ PcdTcgPfpMeasurementRevision PCD", 2020-01-06).
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- Conflict in "MdeModulePkg/MdeModulePkg.dec" due to upstream commits
+ - 1103ba946aee ("MdeModulePkg: Add Capsule On Disk related definition.",
+ 2019-06-26),
+ - 1c7b3eb84631 ("MdeModulePkg/DxeIpl: Introduce PCD
+ PcdUse5LevelPageTable", 2019-08-09),
+ with easy manual resolution.
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no change
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no change
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- Refresh downstream-only commit 2909e025db68 against "MdeModulePkg.dec"
+ context change from upstream commits e043f7895b83 ("MdeModulePkg: Add
+ PCD PcdPteMemoryEncryptionAddressOrMask", 2017-02-27) and 76081dfcc5b2
+ ("MdeModulePkg: Add PROMPT&HELP string of pcd to UNI file", 2017-03-03).
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- refresh commit 519b9751573e against various context changes
+
+The
+
+ CSI Ps ; Ps ; Ps t
+
+escape sequence serves for window manipulation. We can use the
+
+ CSI 8 ; <rows> ; <columns> t
+
+sequence to adapt eg. the xterm window size to the selected console mode.
+
+Reference: <http://rtfm.etla.org/xterm/ctlseq.html>
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 2909e025db6878723b49644a8a0cf160d07e6444)
+(cherry picked from commit b9c5c901f25e48d68eef6e78a4abca00e153f574)
+(cherry picked from commit b7f6115b745de8cbc5214b6ede33c9a8558beb90)
+(cherry picked from commit 67415982afdc77922aa37496c981adeb4351acdb)
+(cherry picked from commit cfccb98d13e955beb0b93b4a75a973f30c273ffc)
+(cherry picked from commit a11602f5e2ef930be5b693ddfd0c789a1bd4c60c)
+(cherry picked from commit bc2266f20de5db1636e09a07e4a72c8dbf505f5a)
+---
+ MdeModulePkg/MdeModulePkg.dec | 4 +++
+ .../Console/TerminalDxe/TerminalConOut.c | 30 +++++++++++++++++++
+ .../Console/TerminalDxe/TerminalDxe.inf | 2 ++
+ 3 files changed, 36 insertions(+)
+
+diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
+index ba2d0290e7..ff70d6e6eb 100644
+--- a/MdeModulePkg/MdeModulePkg.dec
++++ b/MdeModulePkg/MdeModulePkg.dec
+@@ -2046,6 +2046,10 @@
+ # @Prompt Enable PCIe Resizable BAR Capability support.
+ gEfiMdeModulePkgTokenSpaceGuid.PcdPcieResizableBarSupport|FALSE|BOOLEAN|0x10000024
+
++ ## Controls whether TerminalDxe outputs an XTerm resize sequence on terminal
++ # mode change.
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE|BOOLEAN|0x00010080
++
+ [PcdsPatchableInModule]
+ ## Specify memory size with page number for PEI code when
+ # Loading Module at Fixed Address feature is enabled.
+diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
+index aae470e956..26156857aa 100644
+--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
+@@ -7,6 +7,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ **/
+
++#include <Library/PrintLib.h>
++
+ #include "Terminal.h"
+
+ //
+@@ -80,6 +82,16 @@ CHAR16 mSetCursorPositionString[] = { ESC, '[', '0', '0', ';', '0', '0', 'H', 0
+ CHAR16 mCursorForwardString[] = { ESC, '[', '0', '0', 'C', 0 };
+ CHAR16 mCursorBackwardString[] = { ESC, '[', '0', '0', 'D', 0 };
+
++//
++// Note that this is an ASCII format string, taking two INT32 arguments:
++// rows, columns.
++//
++// A %d (INT32) format specification can expand to at most 11 characters.
++//
++CHAR8 mResizeTextAreaFormatString[] = "\x1B[8;%d;%dt";
++#define RESIZE_SEQ_SIZE (sizeof mResizeTextAreaFormatString + 2 * (11 - 2))
++
++
+ //
+ // Body of the ConOut functions
+ //
+@@ -506,6 +518,24 @@ TerminalConOutSetMode (
+ return EFI_DEVICE_ERROR;
+ }
+
++ if (PcdGetBool (PcdResizeXterm)) {
++ CHAR16 ResizeSequence[RESIZE_SEQ_SIZE];
++
++ UnicodeSPrintAsciiFormat (
++ ResizeSequence,
++ sizeof ResizeSequence,
++ mResizeTextAreaFormatString,
++ (INT32) TerminalDevice->TerminalConsoleModeData[ModeNumber].Rows,
++ (INT32) TerminalDevice->TerminalConsoleModeData[ModeNumber].Columns
++ );
++ TerminalDevice->OutputEscChar = TRUE;
++ Status = This->OutputString (This, ResizeSequence);
++ TerminalDevice->OutputEscChar = FALSE;
++ if (EFI_ERROR (Status)) {
++ return EFI_DEVICE_ERROR;
++ }
++ }
++
+ This->Mode->Mode = (INT32) ModeNumber;
+
+ Status = This->ClearScreen (This);
+diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
+index b2a8aeba85..eff6253465 100644
+--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
+@@ -55,6 +55,7 @@
+ DebugLib
+ PcdLib
+ BaseLib
++ PrintLib
+
+ [Guids]
+ ## SOMETIMES_PRODUCES ## Variable:L"ConInDev"
+@@ -87,6 +88,7 @@
+ [Pcd]
+ gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType ## SOMETIMES_CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdErrorCodeSetVariable ## CONSUMES
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm ## CONSUMES
+
+ # [Event]
+ # # Relative timer event set by UnicodeToEfiKey(), used to be one 2 seconds input timeout.
+--
+2.27.0
+
diff --git a/SOURCES/0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch b/SOURCES/0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
new file mode 100644
index 0000000..6e2689a
--- /dev/null
+++ b/SOURCES/0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
@@ -0,0 +1,151 @@
+From 1165bbcec94a97cf1d1509df8210feb2e1db00c5 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 14 Oct 2015 15:59:06 +0200
+Subject: OvmfPkg: take PcdResizeXterm from the QEMU command line (RH only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been
+ introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit
+ to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077.
+
+ We've always patched all those DSC/FDF files in OvmfPkg down-stream that
+ made sense at least in theory on QEMU. (For example, we've always
+ patched "OvmfPkgIa32.dsc" and "OvmfPkgIa32.fdf", even though we never
+ build or ship the pure IA32 firmware platform.) Follow suit with
+ "AmdSevX64.dsc".
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- Resolve contextual conflict in the DSC files, from upstream commit
+ b0ed7ebdebd1 ("OvmfPkg: set fixed FlashNvStorage base addresses with -D
+ SMM_REQUIRE", 2020-03-12).
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- no change
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no change
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no change
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- refresh downstream-only commit 8abc2a6ddad2 against context differences
+ in the DSC files from upstream commit 5e167d7e784c
+ ("OvmfPkg/PlatformPei: don't allocate reserved mem varstore if
+ SMM_REQUIRE", 2017-03-12).
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 6fa0c4d67c0bb8bde2ddd6db41c19eb0c40b2721)
+(cherry picked from commit 8abc2a6ddad25af7e88dc0cf57d55dfb75fbf92d)
+(cherry picked from commit b311932d3841c017a0f0fec553edcac365cc2038)
+(cherry picked from commit 61914fb81cf624c9028d015533b400b2794e52d3)
+(cherry picked from commit 2ebf3cc2ae99275d63bb6efd3c22dec76251a853)
+(cherry picked from commit f9b73437b9b231773c1a20e0c516168817a930a2)
+(cherry picked from commit 2cc462ee963d0be119bc97bfc9c70d292a40516f)
+(cherry picked from commit 51e0de961029af84b5bdbfddcc9762b1819d500f)
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 1 +
+ OvmfPkg/OvmfPkgIa32.dsc | 1 +
+ OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
+ OvmfPkg/OvmfPkgX64.dsc | 1 +
+ OvmfPkg/PlatformPei/Platform.c | 1 +
+ OvmfPkg/PlatformPei/PlatformPei.inf | 1 +
+ 6 files changed, 6 insertions(+)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 52bcae6cf6..0a8cb7fd3b 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -534,6 +534,7 @@
+ [PcdsDynamicDefault]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index d8f03caa30..e6df324c7c 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -594,6 +594,7 @@
+ # ($(SMM_REQUIRE) == FALSE)
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ !if $(SMM_REQUIRE) == FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 312577ebae..8104fe0218 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -600,6 +600,7 @@
+ # ($(SMM_REQUIRE) == FALSE)
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ !if $(SMM_REQUIRE) == FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index d72a00e6b4..3c8b2649a8 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -600,6 +600,7 @@
+ # ($(SMM_REQUIRE) == FALSE)
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ !if $(SMM_REQUIRE) == FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
+diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
+index 96468701e3..14efbabe39 100644
+--- a/OvmfPkg/PlatformPei/Platform.c
++++ b/OvmfPkg/PlatformPei/Platform.c
+@@ -748,6 +748,7 @@ InitializePlatform (
+ MemTypeInfoInitialization ();
+ MemMapInitialization ();
+ NoexecDxeInitialization ();
++ UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm);
+ }
+
+ InstallClearCacheCallback ();
+diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
+index 6ef77ba7bb..22425d34c0 100644
+--- a/OvmfPkg/PlatformPei/PlatformPei.inf
++++ b/OvmfPkg/PlatformPei/PlatformPei.inf
+@@ -97,6 +97,7 @@
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
+ gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm
+ gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
+ gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
+ gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
+--
+2.27.0
+
diff --git a/SOURCES/0015-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch b/SOURCES/0015-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
new file mode 100644
index 0000000..aeb9736
--- /dev/null
+++ b/SOURCES/0015-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
@@ -0,0 +1,203 @@
+From 3f9662c435278564640be672f0c4e17e535f1765 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Sun, 26 Jul 2015 08:02:50 +0000
+Subject: ArmVirtPkg: take PcdResizeXterm from the QEMU command line (RH only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- no change
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- Resolve leading context divergence in "ArmVirtPkg/ArmVirtQemu.dsc",
+ arising from upstream commits:
+
+ - 82662a3b5f56 ("ArmVirtPkg/PlatformPeiLib: discover the TPM base
+ address from the DT", 2020-03-04)
+
+ - ddd34a818315 ("ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI
+ phase", 2020-03-04)
+
+ - cdc3fa54184a ("ArmVirtPkg: control PXEv4 / PXEv6 boot support from the
+ QEMU command line", 2020-04-28)
+
+- Rework the downstream patch quite a bit, paralleling the upstream work
+ done for <https://bugzilla.tianocore.org/show_bug.cgi?id=2681> in commit
+ range 64ab457d1f21..cdc3fa54184a:
+
+ - Refresh copyright year in TerminalPcdProducerLib.{inf,c}. Also replace
+ open-coded BSDL with "SPDX-License-Identifier: BSD-2-Clause-Patent".
+
+ - Simplify LIBRARY_CLASS: this lib instance is meant to be consumed only
+ via NULL class resolution (basically: as a plugin), so use NULL for
+ LIBRARY_CLASS, not "TerminalPcdProducerLib|DXE_DRIVER".
+
+ - Sort the [Packages] section alphabetically in the INF file.
+
+ - Replace the open-coded GetNamedFwCfgBoolean() function with a call to
+ QemuFwCfgParseBool(), from QemuFwCfgSimpleParserLib.
+
+ - Add the SOMETIMES_PRODUCES usage comment in the [Pcd] section of the
+ INF file.
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- no change
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no change
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no change
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- Refresh downstream-only commit d4564d39dfdb against context changes in
+ "ArmVirtPkg/ArmVirtQemu.dsc" from upstream commit 7e5f1b673870
+ ("ArmVirtPkg/PlatformHasAcpiDtDxe: allow guest level ACPI disable
+ override", 2017-03-29).
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- Adapt commit 6b97969096a3 to the fact that upstream has deprecated such
+ setter functions for dynamic PCDs that don't return a status code (such
+ as PcdSetBool()). Employ PcdSetBoolS(), and assert that it succeeds --
+ there's really no circumstance in this case when it could fail.
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit d4564d39dfdbf74e762af43314005a2c026cb262)
+(cherry picked from commit c9081ebe3bcd28e5cce4bf58bd8d4fca12f9af7c)
+(cherry picked from commit 8e92730c8e1cdb642b3b3e680e643ff774a90c65)
+(cherry picked from commit 9448b6b46267d8d807fac0c648e693171bb34806)
+(cherry picked from commit 232fcf06f6b3048b7c2ebd6931f23186b3852f04)
+(cherry picked from commit 8338545260fbb423f796d5196faaaf8ff6e1ed99)
+(cherry picked from commit a5f7a57bf390f1f340ff1d1f1884a73716817ef1)
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 7 +++-
+ .../TerminalPcdProducerLib.c | 34 +++++++++++++++++++
+ .../TerminalPcdProducerLib.inf | 33 ++++++++++++++++++
+ 3 files changed, 73 insertions(+), 1 deletion(-)
+ create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
+ create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 54d637163c..41a26c8d18 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -280,6 +280,8 @@
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0
+ !endif
+
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
++
+ [PcdsDynamicHii]
+ gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
+
+@@ -382,7 +384,10 @@
+ MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
+ MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf
+ MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
+- MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
++ MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf {
++ <LibraryClasses>
++ NULL|ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
++ }
+ MdeModulePkg/Universal/SerialDxe/SerialDxe.inf
+
+ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
+new file mode 100644
+index 0000000000..bfd3a6a535
+--- /dev/null
++++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
+@@ -0,0 +1,34 @@
++/** @file
++* Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg
++*
++* Copyright (C) 2015-2020, Red Hat, Inc.
++* Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR>
++*
++* SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++
++#include <Library/DebugLib.h>
++#include <Library/PcdLib.h>
++#include <Library/QemuFwCfgSimpleParserLib.h>
++
++#define UPDATE_BOOLEAN_PCD_FROM_FW_CFG(TokenName) \
++ do { \
++ BOOLEAN Setting; \
++ RETURN_STATUS PcdStatus; \
++ \
++ if (!RETURN_ERROR (QemuFwCfgParseBool ( \
++ "opt/org.tianocore.edk2.aavmf/" #TokenName, &Setting))) { \
++ PcdStatus = PcdSetBoolS (TokenName, Setting); \
++ ASSERT_RETURN_ERROR (PcdStatus); \
++ } \
++ } while (0)
++
++RETURN_STATUS
++EFIAPI
++TerminalPcdProducerLibConstructor (
++ VOID
++ )
++{
++ UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm);
++ return RETURN_SUCCESS;
++}
+diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
+new file mode 100644
+index 0000000000..a51dbd1670
+--- /dev/null
++++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
+@@ -0,0 +1,33 @@
++## @file
++# Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg
++#
++# Copyright (C) 2015-2020, Red Hat, Inc.
++# Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR>
++#
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++##
++
++[Defines]
++ INF_VERSION = 0x00010005
++ BASE_NAME = TerminalPcdProducerLib
++ FILE_GUID = 4a0c5ed7-8c42-4c01-8f4c-7bf258316a96
++ MODULE_TYPE = BASE
++ VERSION_STRING = 1.0
++ LIBRARY_CLASS = NULL
++ CONSTRUCTOR = TerminalPcdProducerLibConstructor
++
++[Sources]
++ TerminalPcdProducerLib.c
++
++[Packages]
++ MdeModulePkg/MdeModulePkg.dec
++ MdePkg/MdePkg.dec
++ OvmfPkg/OvmfPkg.dec
++
++[LibraryClasses]
++ DebugLib
++ PcdLib
++ QemuFwCfgSimpleParserLib
++
++[Pcd]
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm ## SOMETIMES_PRODUCES
+--
+2.27.0
+
diff --git a/SOURCES/0016-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch b/SOURCES/0016-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
new file mode 100644
index 0000000..165dd67
--- /dev/null
+++ b/SOURCES/0016-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
@@ -0,0 +1,172 @@
+From e9d9e73c317b256c0bdc6530b82a6a625d7d54db Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 4 Nov 2014 23:02:53 +0100
+Subject: OvmfPkg: allow exclusion of the shell from the firmware image (RH
+ only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- No manual / explicit code change is necessary, because the newly
+ inherited OvmfPkg/AmdSev platform already has its own BUILD_SHELL
+ build-time macro (feature test flag), with default value FALSE -- from
+ upstream commit b261a30c900a ("OvmfPkg/AmdSev: add Grub Firmware Volume
+ Package", 2020-12-14).
+
+- Contextual differences from new upstream commits 2d8ca4f90eae ("OvmfPkg:
+ enable HttpDynamicCommand", 2020-10-01) and 5ab6a0e1c8e9 ("OvmfPkg:
+ introduce VirtioFsDxe", 2020-12-21) have been auto-resolved by
+ git-cherry-pick.
+
+- Remove obsolete commit message tags related to downstream patch
+ management: Message-id, Patchwork-id, O-Subject, Acked-by
+ (RHBZ#1846481).
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- context difference from upstream commit ec41733cfd10 ("OvmfPkg: add the
+ 'initrd' dynamic shell command", 2020-03-04) correctly auto-resolved
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- no change
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- update the patch against the following upstream commits:
+ - 4b888334d234 ("OvmfPkg: Remove EdkShellBinPkg in FDF", 2018-11-19)
+ - 277a3958d93a ("OvmfPkg: Don't include TftpDynamicCommand in XCODE5
+ tool chain", 2018-11-27)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no change
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+Bugzilla: 1147592
+
+When '-D EXCLUDE_SHELL_FROM_FD' is passed to 'build', exclude the shell
+binary from the firmware image.
+
+Peter Jones advised us that firmware vendors for physical systems disable
+the memory-mapped, firmware image-contained UEFI shell in
+SecureBoot-enabled builds. The reason being that the memory-mapped shell
+can always load, it may have direct access to various hardware in the
+system, and it can run UEFI shell scripts (which cannot be signed at all).
+
+Intended use of the new build option:
+
+- In-tree builds: don't pass '-D EXCLUDE_SHELL_FROM_FD'. The resultant
+ firmware image will contain a shell binary, independently of SecureBoot
+ enablement, which is flexible for interactive development. (Ie. no
+ change for in-tree builds.)
+
+- RPM builds: pass both '-D SECURE_BOOT_ENABLE' and
+ '-D EXCLUDE_SHELL_FROM_FD'. The resultant RPM will provide:
+
+ - OVMF_CODE.fd: SecureBoot-enabled firmware, without builtin UEFI shell,
+
+ - OVMF_VARS.fd: variable store template matching OVMF_CODE.fd,
+
+ - UefiShell.iso: a bootable ISO image with the shell on it as default
+ boot loader. The shell binary will load when SecureBoot is turned off,
+ and won't load when SecureBoot is turned on (because it is not
+ signed).
+
+ UefiShell.iso is the reason we're not excluding the shell from the DSC
+ files as well, only the FDF files -- when '-D EXCLUDE_SHELL_FROM_FD'
+ is specified, the shell binary needs to be built the same, only it
+ will be included in UefiShell.iso.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 9c391def70366cabae08e6008814299c3372fafd)
+(cherry picked from commit d9dd9ee42937b2611fe37183cc9ec7f62d946933)
+(cherry picked from commit 23df46ebbe7b09451d3a05034acd4d3a25e7177b)
+(cherry picked from commit f0303f71d576c51b01c4ff961b429d0e0e707245)
+(cherry picked from commit bbd64eb8658e9a33eab4227d9f4e51ad78d9f687)
+(cherry picked from commit 8628ef1b8d675ebec39d83834abbe3c8c8c42cf4)
+(cherry picked from commit 229c88dc3ded9baeaca8b87767dc5c41c05afd6e)
+(cherry picked from commit c2812d7189dee06c780f05a5880eb421c359a687)
+---
+ OvmfPkg/OvmfPkgIa32.fdf | 2 ++
+ OvmfPkg/OvmfPkgIa32X64.fdf | 2 ++
+ OvmfPkg/OvmfPkgX64.fdf | 2 ++
+ 3 files changed, 6 insertions(+)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index e3b1d74ce2..969524cf3b 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -293,12 +293,14 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
+ INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+
++!ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+ INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ INF ShellPkg/Application/Shell/Shell.inf
++!endif
+
+ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index f7732382d4..36f078556f 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -294,12 +294,14 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
+ INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+
++!ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+ INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ INF ShellPkg/Application/Shell/Shell.inf
++!endif
+
+ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 137ed6bceb..a5900d8377 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -306,12 +306,14 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
+ INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+
++!ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+ INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ INF ShellPkg/Application/Shell/Shell.inf
++!endif
+
+ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+
+--
+2.27.0
+
diff --git a/SOURCES/0017-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch b/SOURCES/0017-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
new file mode 100644
index 0000000..590baed
--- /dev/null
+++ b/SOURCES/0017-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
@@ -0,0 +1,93 @@
+From 6d968342cbfa40a8192cee7c685e1c794e6053df Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 14 Oct 2015 13:49:43 +0200
+Subject: ArmPlatformPkg: introduce fixed PCD for early hello message (RH only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- no change
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- no change
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- no change
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no change
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+Drew has proposed that ARM|AARCH64 platform firmware (especially virtual
+machine firmware) print a reasonably early, simple hello message to the
+serial port, regardless of debug mask settings. This should inform
+interactive users, and provide some rough help in localizing boot
+problems, even with restrictive debug masks.
+
+If a platform doesn't want this feature, it should stick with the default
+empty string.
+
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1270279
+Downstream only:
+<http://thread.gmane.org/gmane.comp.bios.edk2.devel/2996/focus=3433>.
+
+Suggested-by: Drew Jones <drjones@redhat.com>
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 7ce97b06421434c82095f01a1753a8c9c546cc30)
+(cherry picked from commit 20b1f1cbd0590aa71c6d99d35e23cf08e0707750)
+(cherry picked from commit 6734b88cf7abcaf42632e3d2fc469b2169dd2f16)
+(cherry picked from commit ef77da632559e9baa1c69869e4cbea377068ef27)
+(cherry picked from commit 58755c51d3252312d80cbcb97928d71199c2f5e1)
+(cherry picked from commit c3f07e323e76856f1b42ea7b8c598ba3201c28a2)
+(cherry picked from commit 9f756c1ad83cc81f7d892cd036d59a2b567b02dc)
+(cherry picked from commit c75aea7a738ac7fb944c0695a4bfffc3985afaa9)
+---
+ ArmPlatformPkg/ArmPlatformPkg.dec | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ArmPlatformPkg/ArmPlatformPkg.dec b/ArmPlatformPkg/ArmPlatformPkg.dec
+index 3a25ddcdc8..b2b58553c7 100644
+--- a/ArmPlatformPkg/ArmPlatformPkg.dec
++++ b/ArmPlatformPkg/ArmPlatformPkg.dec
+@@ -121,6 +121,13 @@
+ ## If set, this will swap settings for HDLCD RED_SELECT and BLUE_SELECT registers
+ gArmPlatformTokenSpaceGuid.PcdArmHdLcdSwapBlueRedSelect|FALSE|BOOLEAN|0x00000045
+
++ #
++ # Early hello message (ASCII string), printed to the serial port.
++ # If set to the empty string, nothing is printed.
++ # Otherwise, a trailing CRLF should be specified explicitly.
++ #
++ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage|""|VOID*|0x00000100
++
+ [PcdsFixedAtBuild.common,PcdsDynamic.common]
+ ## PL031 RealTimeClock
+ gArmPlatformTokenSpaceGuid.PcdPL031RtcBase|0x0|UINT32|0x00000024
+--
+2.27.0
+
diff --git a/SOURCES/0018-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch b/SOURCES/0018-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
new file mode 100644
index 0000000..affbde1
--- /dev/null
+++ b/SOURCES/0018-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
@@ -0,0 +1,145 @@
+From e46d1e3f4c9b301acfa15fa4089661947e8742a4 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 14 Oct 2015 13:59:20 +0200
+Subject: ArmPlatformPkg: PrePeiCore: write early hello message to the serial
+ port (RH)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- no change
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- no change
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- no change
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no change
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- adapt to upstream commit 7e2a8dfe8a9a ("ArmPlatformPkg/PrePeiCore: seed
+ temporary stack before entering PEI core", 2017-11-09) -- conflict
+ resolution in "ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf"
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+The FixedPcdGetSize() macro expands to an integer constant, therefore an
+optimizing compiler can eliminate the new code, if the platform DSC
+doesn't override the empty string (size=1) default of
+PcdEarlyHelloMessage.
+
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1270279
+Downstream only:
+<http://thread.gmane.org/gmane.comp.bios.edk2.devel/2996/focus=3433>.
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit b16c4c505ce0e27305235533eac9236aa66f132e)
+(cherry picked from commit 742e5bf6d5ce5a1e73879d6e5c0dd00feda7a9ac)
+(cherry picked from commit 93d69eb9393cf05af90676253875c59c1bec67fd)
+(cherry picked from commit 638594083b191f84f5d9333eb6147a31570f5a5a)
+(cherry picked from commit f4b7aae411d88b2b83f85d20ef06a4032a57e7de)
+(cherry picked from commit bb71490fdda3b38fa9f071d281b863f9b64363bf)
+(cherry picked from commit 8d5a8827aabc67cb2a046697e1a750ca8d9cc453)
+(cherry picked from commit 49fe5596cd79c94d903c4d506c563d642ccd69aa)
+---
+ ArmPlatformPkg/PrePeiCore/MainMPCore.c | 5 +++++
+ ArmPlatformPkg/PrePeiCore/MainUniCore.c | 5 +++++
+ ArmPlatformPkg/PrePeiCore/PrePeiCore.h | 1 +
+ ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf | 2 ++
+ ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf | 2 ++
+ 5 files changed, 15 insertions(+)
+
+diff --git a/ArmPlatformPkg/PrePeiCore/MainMPCore.c b/ArmPlatformPkg/PrePeiCore/MainMPCore.c
+index 859f1adf20..cf9e65bb7c 100644
+--- a/ArmPlatformPkg/PrePeiCore/MainMPCore.c
++++ b/ArmPlatformPkg/PrePeiCore/MainMPCore.c
+@@ -111,6 +111,11 @@ PrimaryMain (
+ UINTN TemporaryRamBase;
+ UINTN TemporaryRamSize;
+
++ if (FixedPcdGetSize (PcdEarlyHelloMessage) > 1) {
++ SerialPortWrite (FixedPcdGetPtr (PcdEarlyHelloMessage),
++ FixedPcdGetSize (PcdEarlyHelloMessage) - 1);
++ }
++
+ CreatePpiList (&PpiListSize, &PpiList);
+
+ // Enable the GIC Distributor
+diff --git a/ArmPlatformPkg/PrePeiCore/MainUniCore.c b/ArmPlatformPkg/PrePeiCore/MainUniCore.c
+index 220f9b5680..158cc34c77 100644
+--- a/ArmPlatformPkg/PrePeiCore/MainUniCore.c
++++ b/ArmPlatformPkg/PrePeiCore/MainUniCore.c
+@@ -29,6 +29,11 @@ PrimaryMain (
+ UINTN TemporaryRamBase;
+ UINTN TemporaryRamSize;
+
++ if (FixedPcdGetSize (PcdEarlyHelloMessage) > 1) {
++ SerialPortWrite (FixedPcdGetPtr (PcdEarlyHelloMessage),
++ FixedPcdGetSize (PcdEarlyHelloMessage) - 1);
++ }
++
+ CreatePpiList (&PpiListSize, &PpiList);
+
+ // Adjust the Temporary Ram as the new Ppi List (Common + Platform Ppi Lists) is created at
+diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCore.h b/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
+index 7b155a8a61..e9e283f9ec 100644
+--- a/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
++++ b/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
+@@ -15,6 +15,7 @@
+ #include <Library/DebugLib.h>
+ #include <Library/IoLib.h>
+ #include <Library/PcdLib.h>
++#include <Library/SerialPortLib.h>
+
+ #include <PiPei.h>
+ #include <Ppi/TemporaryRamSupport.h>
+diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
+index fb01dd1a11..a6681c1032 100644
+--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
++++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
+@@ -69,6 +69,8 @@
+ gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize
+ gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize
+
++ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage
++
+ gArmTokenSpaceGuid.PcdGicDistributorBase
+ gArmTokenSpaceGuid.PcdGicInterruptInterfaceBase
+ gArmTokenSpaceGuid.PcdGicSgiIntId
+diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
+index e9eb092d3a..c98dc82f0c 100644
+--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
++++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
+@@ -67,4 +67,6 @@
+ gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize
+ gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize
+
++ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage
++
+ gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack
+--
+2.27.0
+
diff --git a/SOURCES/0019-ArmVirtPkg-set-early-hello-message-RH-only.patch b/SOURCES/0019-ArmVirtPkg-set-early-hello-message-RH-only.patch
new file mode 100644
index 0000000..5e4f5c9
--- /dev/null
+++ b/SOURCES/0019-ArmVirtPkg-set-early-hello-message-RH-only.patch
@@ -0,0 +1,82 @@
+From b14a92fafb171ad4a47598076bd028e5cf33ac28 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 14 Oct 2015 14:07:17 +0200
+Subject: ArmVirtPkg: set early hello message (RH only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- no change
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- context difference from upstream commit f5cb3767038e
+ ("ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for upcoming TPM2
+ support", 2020-03-04) automatically resolved correctly
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- no change
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- resolve context conflict with upstream commit eaa1e98ae31d ("ArmVirtPkg:
+ don't set PcdCoreCount", 2019-02-13)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+Print a friendly banner on QEMU, regardless of debug mask settings.
+
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1270279
+Downstream only:
+<http://thread.gmane.org/gmane.comp.bios.edk2.devel/2996/focus=3433>.
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 5d4a15b9019728b2d96322bc679099da49916925)
+(cherry picked from commit 179df76dbb0d199bd905236e98775b4059c6502a)
+(cherry picked from commit ce3f59d0710c24c162d5222bbf5cd7e36180c80c)
+(cherry picked from commit c201a8e6ae28d75f7ba581828b533c3b26fa7f18)
+(cherry picked from commit 2d4db6ec70e004cd9ac147615d17033bee5d3b18)
+(cherry picked from commit fb2032bbea7e02c426855cf86a323556d493fd8a)
+(cherry picked from commit ba73b99d5cb38f87c1a8f0936d515eaaefa3f04b)
+(cherry picked from commit 72550e12ae469012a505bf5b98a6543a754028d3)
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 41a26c8d18..971422411d 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -132,6 +132,7 @@
+ gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE)
+
+ [PcdsFixedAtBuild.common]
++ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage|"UEFI firmware starting.\r\n"
+ !if $(ARCH) == AARCH64
+ gArmTokenSpaceGuid.PcdVFPEnabled|1
+ !endif
+--
+2.27.0
+
diff --git a/SOURCES/0020-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch b/SOURCES/0020-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
new file mode 100644
index 0000000..51c0342
--- /dev/null
+++ b/SOURCES/0020-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
@@ -0,0 +1,121 @@
+From 1771ff7479664c05884dab5a34d128cf8b01086f Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 21 Nov 2017 00:57:45 +0100
+Subject: OvmfPkg: enable DEBUG_VERBOSE (RHEL only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been
+ introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit
+ to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077.
+
+- Remove obsolete commit message tags related to downstream patch
+ management: Message-id, Patchwork-id, O-Subject, Acked-by, From
+ (RHBZ#1846481).
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- context difference from upstream commit 46bb81200742 ("OvmfPkg: Make
+ SOURCE_DEBUG_ENABLE actually need to be set to TRUE", 2019-10-22)
+ resolved automatically
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- no change
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no change
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Bugzilla: 1488247
+
+Set the DEBUG_VERBOSE bit (0x00400000) in the log mask. We want detailed
+debug messages, and code in OvmfPkg logs many messages on the
+DEBUG_VERBOSE level.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(this patch was previously applied as commit 78d3ed73172b5738e32d2b0bc03f7984b9584117)
+(cherry picked from commit 7aeeaabc9871f657e65d2b99d81011b4964a1ce9)
+(cherry picked from commit a0617a6be1a80966099ddceb010f89202a79ee76)
+(cherry picked from commit 759bd3f591e2db699bdef4c7ea4e97c908e7f027)
+(cherry picked from commit 7e6d5dc4078c64be6d55d8fc3317c59a91507a50)
+(cherry picked from commit 3cb92f9ba18ac79911bd5258ff4f949cc617ae89)
+(cherry picked from commit 5ecc18badaabe774d9d0806b027ab63a30c6a2d7)
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +-
+ OvmfPkg/OvmfPkgIa32.dsc | 2 +-
+ OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
+ OvmfPkg/OvmfPkgX64.dsc | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 0a8cb7fd3b..6e8defe5c7 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -486,7 +486,7 @@
+ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
+ # // significantly impact boot performance
+ # DEBUG_ERROR 0x80000000 // Error
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+
+ !if $(SOURCE_DEBUG_ENABLE) == TRUE
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index e6df324c7c..52cd87f698 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -534,7 +534,7 @@
+ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
+ # // significantly impact boot performance
+ # DEBUG_ERROR 0x80000000 // Error
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+
+ !if $(SOURCE_DEBUG_ENABLE) == TRUE
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 8104fe0218..214195a594 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -538,7 +538,7 @@
+ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
+ # // significantly impact boot performance
+ # DEBUG_ERROR 0x80000000 // Error
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+
+ !if $(SOURCE_DEBUG_ENABLE) == TRUE
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 3c8b2649a8..02aad65b00 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -540,7 +540,7 @@
+ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
+ # // significantly impact boot performance
+ # DEBUG_ERROR 0x80000000 // Error
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+
+ !if $(SOURCE_DEBUG_ENABLE) == TRUE
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
+--
+2.27.0
+
diff --git a/SOURCES/0021-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch b/SOURCES/0021-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch
new file mode 100644
index 0000000..4cea103
--- /dev/null
+++ b/SOURCES/0021-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch
@@ -0,0 +1,173 @@
+From 4b2a35ab1d659068d47baaf1dd5b2918ba8a2573 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 21 Nov 2017 00:57:46 +0100
+Subject: OvmfPkg: silence DEBUG_VERBOSE (0x00400000) in
+ QemuVideoDxe/QemuRamfbDxe (RH)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been
+ introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit
+ to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077.
+
+- Remove obsolete commit message tags related to downstream patch
+ management: Message-id, Patchwork-id, O-Subject, Acked-by, From
+ (RHBZ#1846481).
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- no change
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- Due to upstream commit 4b04d9d73604 ("OvmfPkg: Don't build in
+ QemuVideoDxe when we have CSM", 2019-06-26), the contexts of
+ "QemuVideoDxe.inf" / "QemuRamfbDxe.inf" have changed in the DSC files.
+ Resolve the conflict manually.
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- Upstream commit 1d25ff51af5c ("OvmfPkg: add QemuRamfbDxe", 2018-06-14)
+ introduced another GOP driver that consumes FrameBufferBltLib, and
+ thereby produces a large number of (mostly useless) debug messages at
+ the DEBUG_VERBOSE level. Extend the patch to suppress those messages in
+ both QemuVideoDxe and QemuRamfbDxe; update the subject accordingly.
+ QemuRamfbDxe itself doesn't log anything at the VERBOSE level (see also
+ the original commit message at the bottom of this downstream patch).
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Bugzilla: 1488247
+
+In commit 5b2291f9567a ("OvmfPkg: QemuVideoDxe uses
+MdeModulePkg/FrameBufferLib"), QemuVideoDxe was rebased to
+FrameBufferBltLib.
+
+The FrameBufferBltLib instance added in commit b1ca386074bd
+("MdeModulePkg: Add FrameBufferBltLib library instance") logs many
+messages on the VERBOSE level; for example, a normal boot with OVMF can
+produce 500+ "VideoFill" messages, dependent on the progress bar, when the
+VERBOSE bit is set in PcdDebugPrintErrorLevel.
+
+QemuVideoDxe itself doesn't log anything at the VERBOSE level, so we lose
+none of its messages this way.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(this patch was previously applied as commit 9b0d031dee7e823f6717bab73e422fbc6f0a6c52)
+(cherry picked from commit 9122d5f2e8d8d289064d1e1700cb61964d9931f3)
+(cherry picked from commit 7eb3be1d4ccafc26c11fe5afb95cc12b250ce6f0)
+(cherry picked from commit bd650684712fb840dbcda5d6eaee065bd9e91fa1)
+(cherry picked from commit b06b87f8ffd4fed4ef7eacb13689a9b6d111f850)
+(cherry picked from commit c8c3f893e7c3710afe45c46839e97954871536e4)
+(cherry picked from commit 1355849ad97c1e4a5c430597a377165a5cc118f7)
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 10 ++++++++--
+ OvmfPkg/OvmfPkgIa32.dsc | 10 ++++++++--
+ OvmfPkg/OvmfPkgIa32X64.dsc | 10 ++++++++--
+ OvmfPkg/OvmfPkgX64.dsc | 10 ++++++++--
+ 4 files changed, 32 insertions(+), 8 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 6e8defe5c7..568ca369e6 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -747,8 +747,14 @@
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+ MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
+
+- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+
+ #
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 52cd87f698..52fd057c90 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -842,9 +842,15 @@
+ MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
+
+ !ifndef $(CSM_ENABLE)
+- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ !endif
+- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+
+ #
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 214195a594..653849cc7a 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -856,9 +856,15 @@
+ MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
+
+ !ifndef $(CSM_ENABLE)
+- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ !endif
+- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+
+ #
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 02aad65b00..5275f2502b 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -854,9 +854,15 @@
+ MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
+
+ !ifndef $(CSM_ENABLE)
+- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ !endif
+- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+
+ #
+--
+2.27.0
+
diff --git a/SOURCES/0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch b/SOURCES/0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch
new file mode 100644
index 0000000..18d30be
--- /dev/null
+++ b/SOURCES/0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch
@@ -0,0 +1,97 @@
+From 251653ccf48a973481bb8c90161cccde50c78ad5 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 27 Jan 2016 03:05:18 +0100
+Subject: ArmVirtPkg: silence DEBUG_VERBOSE (0x00400000) in QemuRamfbDxe (RH
+ only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- no change
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- no change
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- The previous version of this patch (downstream commit 76b4ac28e975)
+ caused a regression (RHBZ#1714446), which was fixed up in downstream
+ commit 5a216abaa737 ("ArmVirtPkg: silence DEBUG_VERBOSE masking
+ ~0x00400000 in QemuRamfbDxe (RH only)", 2019-08-05).
+
+ Squash the fixup into the original patch. Fuse the commit messages.
+ (Acked-by tags are not preserved, lest we confuse ourselves while
+ reviewing this rebase.)
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- new patch, due to upstream commit c64688f36a8b ("ArmVirtPkg: add
+ QemuRamfbDxe", 2018-06-14)
+
+QemuRamfbDxe uses FrameBufferLib. The FrameBufferBltLib instance added in
+commit b1ca386074bd ("MdeModulePkg: Add FrameBufferBltLib library
+instance") logs many messages on the VERBOSE level; for example, a normal
+boot with ArmVirtQemu[Kernel] can produce 500+ "VideoFill" messages,
+dependent on the progress bar, when the VERBOSE bit is set in
+PcdDebugPrintErrorLevel.
+
+Clear the VERBOSE bit without touching other bits -- those other bits
+differ between the "silent" and "verbose" builds, so we can't set them as
+constants.
+
+QemuRamfbDxe itself doesn't log anything at the VERBOSE level, so we lose
+none of its messages, with the VERBOSE bit clear.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 76b4ac28e975bd63c25db903a1d42c47b38cc756)
+Reported-by: Andrew Jones <drjones@redhat.com>
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+(cherry picked from commit 5a216abaa737195327235e37563b18a6bf2a74dc)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit e5b8152bced2364a1ded0926dbba4d65e23e3f84)
+(cherry picked from commit e7f57f154439c1c18ea5030b01f8d7bc492698b2)
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 5 ++++-
+ ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 971422411d..d2a2fdac8e 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -504,7 +504,10 @@
+ #
+ # Video support
+ #
+- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF
++ }
+ OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ OvmfPkg/PlatformDxe/Platform.inf
+
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index f598ac6a85..7e50ce8b3b 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -434,7 +434,10 @@
+ #
+ # Video support
+ #
+- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF
++ }
+ OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ OvmfPkg/PlatformDxe/Platform.inf
+
+--
+2.27.0
+
diff --git a/SOURCES/0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch b/SOURCES/0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch
new file mode 100644
index 0000000..e75701e
--- /dev/null
+++ b/SOURCES/0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch
@@ -0,0 +1,95 @@
+From bacf42ebf768aebb8c2b36fb52d154daf19c0c74 Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Thu, 1 Aug 2019 20:43:48 +0200
+Subject: OvmfPkg: QemuRamfbDxe: Do not report DXE failure on Aarch64 silent
+ builds (RH only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- no change
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- no change
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- We have to carry this downstream-only patch -- committed originally as
+ aaaedc1e2cfd -- indefinitely.
+
+- To avoid confusion, remove the tags from the commit message that had
+ been added by the downstream maintainer scripts, such as: Message-id,
+ Patchwork-id, O-Subject, Acked-by. These remain available on the
+ original downstream commit. The Bugzilla line is preserved, as it
+ doesn't relate to a specific posting, but to the problem.
+
+Bugzilla: 1714446
+
+To suppress an error message on the silent build when ramfb is
+not configured, change QemuRamfbDxe to return EFI_SUCCESS even
+when it fails.
+Some memory is wasted (driver stays resident without
+any good use), but it is mostly harmless, as the memory
+is released by the OS after ExitBootServices().
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+(cherry picked from commit aaaedc1e2cfd55ef003fb1b5a37c73a196b26dc7)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit aa2b66b18a62d652bdbefae7b5732297294306ca)
+(cherry picked from commit deb3451034326b75fd760aba47a5171493ff055e)
+---
+ OvmfPkg/QemuRamfbDxe/QemuRamfb.c | 14 ++++++++++++++
+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf | 1 +
+ 2 files changed, 15 insertions(+)
+
+diff --git a/OvmfPkg/QemuRamfbDxe/QemuRamfb.c b/OvmfPkg/QemuRamfbDxe/QemuRamfb.c
+index 0d49d8bbab..dbf9bcbe16 100644
+--- a/OvmfPkg/QemuRamfbDxe/QemuRamfb.c
++++ b/OvmfPkg/QemuRamfbDxe/QemuRamfb.c
+@@ -13,6 +13,7 @@
+ #include <Library/BaseLib.h>
+ #include <Library/BaseMemoryLib.h>
+ #include <Library/DebugLib.h>
++#include <Library/DebugPrintErrorLevelLib.h>
+ #include <Library/DevicePathLib.h>
+ #include <Library/FrameBufferBltLib.h>
+ #include <Library/MemoryAllocationLib.h>
+@@ -242,6 +243,19 @@ InitializeQemuRamfb (
+
+ Status = QemuFwCfgFindFile ("etc/ramfb", &mRamfbFwCfgItem, &FwCfgSize);
+ if (EFI_ERROR (Status)) {
++#if defined (MDE_CPU_AARCH64)
++ //
++ // RHBZ#1714446
++ // If no ramfb device was configured, this platform DXE driver should
++ // returns EFI_NOT_FOUND, so the DXE Core can unload it. However, even
++ // using a silent build, an error message is issued to the guest console.
++ // Since this confuse users, return success and stay resident. The wasted
++ // guest RAM still gets freed later after ExitBootServices().
++ //
++ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) {
++ return EFI_SUCCESS;
++ }
++#endif
+ return EFI_NOT_FOUND;
+ }
+ if (FwCfgSize != sizeof (RAMFB_CONFIG)) {
+diff --git a/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf b/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+index e3890b8c20..6ffee5acb2 100644
+--- a/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++++ b/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+@@ -29,6 +29,7 @@
+ BaseLib
+ BaseMemoryLib
+ DebugLib
++ DebugPrintErrorLevelLib
+ DevicePathLib
+ FrameBufferBltLib
+ MemoryAllocationLib
+--
+2.27.0
+
diff --git a/SOURCES/0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch b/SOURCES/0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
new file mode 100644
index 0000000..d08e6fd
--- /dev/null
+++ b/SOURCES/0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
@@ -0,0 +1,131 @@
+From 41c61737a6ead56c36edabd1b2e685a04c2e81c6 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 21 Nov 2017 00:57:47 +0100
+Subject: OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe (RH
+ only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been
+ introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit
+ to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077.
+
+- Remove obsolete commit message tags related to downstream patch
+ management: Message-id, Patchwork-id, O-Subject, Acked-by, From
+ (RHBZ#1846481).
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- no change
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- no change
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no change
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Bugzilla: 1488247
+
+NvmExpressDxe logs all BlockIo read & write calls on the EFI_D_VERBOSE
+level.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(this patch was previously applied as commit 5f432837b9c60c2929b13dda1a1b488d5c3a6d2f)
+(cherry picked from commit 33e00146eb878588ad1395d7b1ae38f401729da4)
+(cherry picked from commit bd10cabcfcb1bc9a32b05062f4ee3792e27bc2d8)
+(cherry picked from commit 5a27af700f49e00608f232f618dedd7bf5e9b3e6)
+(cherry picked from commit 58bba429b9ec7b78109940ef945d0dc93f3cd958)
+(cherry picked from commit b8d0ebded8c2cf5b266c807519e2d8ccfd66fee6)
+(cherry picked from commit ed89844b47f46cfe911f1bf2bda40e537a908502)
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 5 ++++-
+ OvmfPkg/OvmfPkgIa32.dsc | 5 ++++-
+ OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++-
+ OvmfPkg/OvmfPkgX64.dsc | 5 ++++-
+ 4 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 568ca369e6..fb00b12f8c 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -741,7 +741,10 @@
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 52fd057c90..119267e3c8 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -835,7 +835,10 @@
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 653849cc7a..166c9f1fef 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -849,7 +849,10 @@
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 5275f2502b..19d0944a72 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -847,7 +847,10 @@
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+--
+2.27.0
+
diff --git a/SOURCES/0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch b/SOURCES/0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch
new file mode 100644
index 0000000..9310962
--- /dev/null
+++ b/SOURCES/0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch
@@ -0,0 +1,179 @@
+From 7e6817e96a15f9ce32f0c9cf6326bb682672724c Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Sat, 16 Nov 2019 17:11:27 +0100
+Subject: CryptoPkg/OpensslLib: list RHEL8-specific OpenSSL files in the INFs
+ (RH)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1938257
+
+- Recreate the patch based on downstream commits:
+
+ - 56c4bb81b311 ("CryptoPkg/OpensslLib: list RHEL8-specific OpenSSL files
+ in the INFs (RH)", 2020-06-05),
+ - e81751a1c303 ("CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1g",
+ 2020-11-23),
+ - 3e3fe5e62079 ("redhat: bump OpenSSL dist-git submodule to 1.1.1g+ /
+ RHEL-8.4", 2020-11-23).
+
+ (1) At e81751a1c303, downstream edk2 was in sync with upstream edk2
+ consuming OpenSSL 1.1.1g (upstream edk2 commit 8c30327debb2
+ ("CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1g", 2020-07-25)).
+
+ Since commit 8c30327debb2, upstream edk2 modified the OpensslLib INF
+ files, namely
+
+ - CryptoPkg/Library/OpensslLib/OpensslLib.inf
+ - CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+
+ in the following commits only:
+
+ - be01087e0780 ("CryptoPkg/Library: Remove the redundant build
+ option", 2020-08-12), which did not affect the source file list at
+ all,
+
+ - b5701a4c7a0f ("CryptoPkg: OpensslLib: Use RngLib to generate
+ entropy in rand_pool", 2020-09-18), which replaced some of the
+ *edk2-specific* "rand_pool_noise" source files with an RngLib
+ dependency.
+
+ This means that the list of required, actual OpenSSL source files
+ has not changed in upstream edk2 since our downstream edk2 commit
+ e81751a1c303.
+
+ (2) At commit 3e3fe5e62079 (the direct child of e81751a1c303),
+ downstream edk2's OpenSSL dependency was satisfied with RHEL-8
+ OpenSSL at dist-git commit bdd048e929dc ("Two fixes that will be
+ shipped in RHEL-8.3.0.z", 2020-10-23).
+
+ Since commit bdd048e929dc, RHEL-8 OpenSSL dist-git advanced
+ (fast-forwarded) to commit a75722161d20 ("Update to version 1.1.1k",
+ 2021-05-25), which is the current head of the rhel-8.5.0 branch.
+ (See also <https://bugzilla.redhat.com/show_bug.cgi?id=1938257#c6>.)
+
+ At both dist-git bdd048e929dc and dist-git a75722161d20, I built the
+ respective RHEL-8 OpenSSL *source* RPM, and prepped the respective
+ source tree, with "rpmbuild -bp". Subsequently I compared the
+ prepped source trees recursively.
+
+ - The following files disappeared:
+
+ - 29 backup files created by "patch",
+
+ - the assembly generator perl script called
+ "ecp_nistz256-avx2.pl", which is not used during the build.
+
+ - The following new files appeared:
+
+ - 18 files directly or indirectly under the "test" subdirectory,
+ which are not used during the build,
+
+ - 5 backup files created by "patch",
+
+ - 2 DCL scripts used when building OpenSSL on OpenVMS.
+
+ This means that the total list of RHEL-8 OpenSSL source files has
+ not changed in RHEL-8 OpenSSL dist-git since our downstream edk2
+ commit 3e3fe5e62079.
+
+ As a result, copy the "RHEL8-specific OpenSSL file list" sections
+ verbatim from the INF files, at downstream commit e81751a1c303. (I used
+ the "git checkout -p e81751a1c303 -- Library/OpensslLib/OpensslLib.inf
+ CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf" command.)
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- "OpensslLib.inf":
+
+ - Automatic leading context refresh against upstream commit c72ca4666886
+ ("CryptoPkg/OpensslLib: Add "sort" keyword to header file parsing
+ loop", 2020-03-10).
+
+ - Manual trailing context refresh against upstream commit b49a6c8f80d9
+ ("CryptoPkg/OpensslLib: improve INF file consistency", 2019-12-02).
+
+- "OpensslLibCrypto.inf":
+
+ - Automatic leading context refresh against upstream commits
+ 8906f076de35 ("CryptoPkg/OpensslLib: Add missing header files in INF
+ file", 2019-08-16) and 9f4fbd56d430 ("CryptoPkg/OpensslLib: Update
+ process_files.pl to generate .h files", 2019-10-30).
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- new patch
+
+The downstream changes in RHEL8's OpenSSL package, for example in
+"openssl-1.1.1-evp-kdf.patch", introduce new files, and even move some
+preexistent code into those new files. In order to avoid undefined
+references in link editing, we have to list the new files.
+
+Note: "process_files.pl" is not re-run at this time manually, because
+
+(a) "process_files.pl" would pollute the file list (and some of the
+ auto-generated header files) with RHEL8-specific FIPS artifacts, which
+ are explicitly unwanted in edk2,
+
+(b) The RHEL OpenSSL maintainer, Tomas Mraz, identified this specific set
+ of files in <https://bugzilla.redhat.com/show_bug.cgi?id=1749693#c10>,
+ and will help with future changes too.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 57bd3f146590df8757865d8f2cdd1db3cf3f4d40)
+(cherry picked from commit 56c4bb81b311dfcee6a34c81d3e4feeda7f88995)
+---
+ CryptoPkg/Library/OpensslLib/OpensslLib.inf | 11 +++++++++++
+ CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 11 +++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+index b00bb74ce6..71e32f26ea 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
++++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+@@ -570,6 +570,17 @@
+ $(OPENSSL_PATH)/ssl/statem/statem.h
+ $(OPENSSL_PATH)/ssl/statem/statem_local.h
+ # Autogenerated files list ends here
++# RHEL8-specific OpenSSL file list starts here
++ $(OPENSSL_PATH)/crypto/evp/kdf_lib.c
++ $(OPENSSL_PATH)/crypto/evp/pkey_kdf.c
++ $(OPENSSL_PATH)/crypto/kdf/kbkdf.c
++ $(OPENSSL_PATH)/crypto/kdf/kdf_local.h
++ $(OPENSSL_PATH)/crypto/kdf/kdf_util.c
++ $(OPENSSL_PATH)/crypto/kdf/krb5kdf.c
++ $(OPENSSL_PATH)/crypto/kdf/pbkdf2.c
++ $(OPENSSL_PATH)/crypto/kdf/sshkdf.c
++ $(OPENSSL_PATH)/crypto/kdf/sskdf.c
++# RHEL8-specific OpenSSL file list ends here
+ buildinf.h
+ ossl_store.c
+ rand_pool.c
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+index 3557711bd8..003dcbad7a 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
++++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+@@ -519,6 +519,17 @@
+ $(OPENSSL_PATH)/crypto/x509v3/standard_exts.h
+ $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
+ # Autogenerated files list ends here
++# RHEL8-specific OpenSSL file list starts here
++ $(OPENSSL_PATH)/crypto/evp/kdf_lib.c
++ $(OPENSSL_PATH)/crypto/evp/pkey_kdf.c
++ $(OPENSSL_PATH)/crypto/kdf/kbkdf.c
++ $(OPENSSL_PATH)/crypto/kdf/kdf_local.h
++ $(OPENSSL_PATH)/crypto/kdf/kdf_util.c
++ $(OPENSSL_PATH)/crypto/kdf/krb5kdf.c
++ $(OPENSSL_PATH)/crypto/kdf/pbkdf2.c
++ $(OPENSSL_PATH)/crypto/kdf/sshkdf.c
++ $(OPENSSL_PATH)/crypto/kdf/sskdf.c
++# RHEL8-specific OpenSSL file list ends here
+ buildinf.h
+ ossl_store.c
+ rand_pool.c
+--
+2.27.0
+
diff --git a/SOURCES/0026-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch b/SOURCES/0026-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
new file mode 100644
index 0000000..1533000
--- /dev/null
+++ b/SOURCES/0026-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
@@ -0,0 +1,83 @@
+From 29be717a1ae0a2617a7ae95698940286201d1612 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 24 Jun 2020 11:31:36 +0200
+Subject: OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no "-kernel" in
+ silent aa64 build (RH)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Remove obsolete commit message tags related to downstream patch
+ management: Message-id, Patchwork-id, O-Subject, Acked-by, From,
+ RH-Acked-by, RH-Author (RHBZ#1846481).
+
+Bugzilla: 1844682
+
+If the "-kernel" QEMU option is not used, then QemuKernelLoaderFsDxe
+should return EFI_NOT_FOUND, so that the DXE Core can unload it. However,
+the associated error message, logged by the DXE Core to the serial
+console, is not desired in the silent edk2-aarch64 build, given that the
+absence of "-kernel" is nothing out of the ordinary. Therefore, return
+success and stay resident. The wasted guest RAM still gets freed after
+ExitBootServices().
+
+(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.)
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+(cherry picked from commit 9adcdf493ebbd11efb74e2905ab5f6c8996e096d)
+---
+ .../QemuKernelLoaderFsDxe.c | 17 +++++++++++++++++
+ .../QemuKernelLoaderFsDxe.inf | 1 +
+ 2 files changed, 18 insertions(+)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index b09ff6a359..ec0244d61b 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -18,6 +18,7 @@
+ #include <Library/BaseLib.h>
+ #include <Library/BaseMemoryLib.h>
+ #include <Library/DebugLib.h>
++#include <Library/DebugPrintErrorLevelLib.h>
+ #include <Library/DevicePathLib.h>
+ #include <Library/MemoryAllocationLib.h>
+ #include <Library/QemuFwCfgLib.h>
+@@ -1039,6 +1040,22 @@ QemuKernelLoaderFsDxeEntrypoint (
+
+ if (KernelBlob->Data == NULL) {
+ Status = EFI_NOT_FOUND;
++#if defined (MDE_CPU_AARCH64)
++ //
++ // RHBZ#1844682
++ //
++ // If the "-kernel" QEMU option is not being used, this platform DXE driver
++ // should return EFI_NOT_FOUND, so that the DXE Core can unload it.
++ // However, the associated error message, logged by the DXE Core to the
++ // serial console, is not desired in the silent edk2-aarch64 build, given
++ // that the absence of "-kernel" is nothing out of the ordinary. Therefore,
++ // return success and stay resident. The wasted guest RAM still gets freed
++ // after ExitBootServices().
++ //
++ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) {
++ Status = EFI_SUCCESS;
++ }
++#endif
+ goto FreeBlobs;
+ }
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+index 7b35adb8e0..e0331c6e2c 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+@@ -28,6 +28,7 @@
+ BaseLib
+ BaseMemoryLib
+ DebugLib
++ DebugPrintErrorLevelLib
+ DevicePathLib
+ MemoryAllocationLib
+ QemuFwCfgLib
+--
+2.27.0
+
diff --git a/SOURCES/0027-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch b/SOURCES/0027-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
new file mode 100644
index 0000000..3cc5803
--- /dev/null
+++ b/SOURCES/0027-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
@@ -0,0 +1,82 @@
+From dc27035d2a8ca09dc5b0113c97a643341f286c08 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 24 Jun 2020 11:40:09 +0200
+Subject: SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent aa64 build
+ (RH)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Remove obsolete commit message tags related to downstream patch
+ management: Message-id, Patchwork-id, O-Subject, Acked-by, From,
+ RH-Acked-by, RH-Author (RHBZ#1846481).
+
+Bugzilla: 1844682
+
+If swtpm / vTPM2 is not being used, Tcg2Dxe should return EFI_UNSUPPORTED,
+so that the DXE Core can unload it. However, the associated error message,
+logged by the DXE Core to the serial console, is not desired in the silent
+edk2-aarch64 build, given that the absence of swtpm / vTPM2 is nothing out
+of the ordinary. Therefore, return success and stay resident. The wasted
+guest RAM still gets freed after ExitBootServices().
+
+(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.)
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+(cherry picked from commit cbce29f7749477e271f9764fed82de94724af5df)
+---
+ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c | 17 +++++++++++++++++
+ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf | 1 +
+ 2 files changed, 18 insertions(+)
+
+diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
+index 6d17616c1c..f1a97d4b2d 100644
+--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
++++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
+@@ -28,6 +28,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ #include <Protocol/ResetNotification.h>
+
+ #include <Library/DebugLib.h>
++#include <Library/DebugPrintErrorLevelLib.h>
+ #include <Library/BaseMemoryLib.h>
+ #include <Library/UefiRuntimeServicesTableLib.h>
+ #include <Library/UefiDriverEntryPoint.h>
+@@ -2642,6 +2643,22 @@ DriverEntry (
+ if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceNoneGuid) ||
+ CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)){
+ DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n"));
++#if defined (MDE_CPU_AARCH64)
++ //
++ // RHBZ#1844682
++ //
++ // If swtpm / vTPM2 is not being used, this driver should return
++ // EFI_UNSUPPORTED, so that the DXE Core can unload it. However, the
++ // associated error message, logged by the DXE Core to the serial console,
++ // is not desired in the silent edk2-aarch64 build, given that the absence
++ // of swtpm / vTPM2 is nothing out of the ordinary. Therefore, return
++ // success and stay resident. The wasted guest RAM still gets freed after
++ // ExitBootServices().
++ //
++ if (GetDebugPrintErrorLevel () == DEBUG_ERROR) {
++ return EFI_SUCCESS;
++ }
++#endif
+ return EFI_UNSUPPORTED;
+ }
+
+diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+index 7dc7a2683d..3bc8833931 100644
+--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
++++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+@@ -55,6 +55,7 @@
+ UefiRuntimeServicesTableLib
+ BaseMemoryLib
+ DebugLib
++ DebugPrintErrorLevelLib
+ Tpm2CommandLib
+ PrintLib
+ UefiLib
+--
+2.27.0
+
diff --git a/SOURCES/LICENSE.qosb b/SOURCES/LICENSE.qosb
new file mode 100644
index 0000000..9849381
--- /dev/null
+++ b/SOURCES/LICENSE.qosb
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Patrick Uiterwijk
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/SOURCES/RedHatSecureBootPkKek1.pem b/SOURCES/RedHatSecureBootPkKek1.pem
new file mode 100644
index 0000000..d302362
--- /dev/null
+++ b/SOURCES/RedHatSecureBootPkKek1.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
+BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
+9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
+MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
+RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
++d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
+huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
+bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
+3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
+y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
+AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
+YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
+HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
+ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
+3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
+1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
+qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
+NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
+R+SqIs/vdWGA40O3SFdzET14m2k=
+-----END CERTIFICATE-----
diff --git a/SOURCES/edk2-ArmVirtPkg-Remove-EbcDxe-RHEL-only.patch b/SOURCES/edk2-ArmVirtPkg-Remove-EbcDxe-RHEL-only.patch
new file mode 100644
index 0000000..cb19b8d
--- /dev/null
+++ b/SOURCES/edk2-ArmVirtPkg-Remove-EbcDxe-RHEL-only.patch
@@ -0,0 +1,56 @@
+From 1141700f8b6ffa86f1539e4dd03acea2e397e1d8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:28:54 +0200
+Subject: [PATCH 03/19] ArmVirtPkg: Remove EbcDxe (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [3/19] 5ca7af1a505c16cc568a444398254aca06ca65aa
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove EFI Byte Code interpreter.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ArmVirtPkg/ArmVirt.dsc.inc | 5 -----
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 5 -----
+ 2 files changed, 10 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
+index d9abadbe70..505e895db7 100644
+--- a/ArmVirtPkg/ArmVirt.dsc.inc
++++ b/ArmVirtPkg/ArmVirt.dsc.inc
+@@ -421,8 +421,3 @@
+ <LibraryClasses>
+ NULL|EmbeddedPkg/Library/PlatformHasAcpiLib/PlatformHasAcpiLib.inf
+ }
+-
+- #
+- # EBC support
+- #
+- MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 6cdbfc39be..0ba57fe687 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -149,11 +149,6 @@ READ_LOCK_STATUS = TRUE
+ INF MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf
+ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ INF OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpiPlatformDxe.inf
+-
+- #
+- # EBC support
+- #
+- INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ !endif
+
+ #
+--
+2.27.0
+
diff --git a/SOURCES/edk2-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch b/SOURCES/edk2-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch
new file mode 100644
index 0000000..f9e06c4
--- /dev/null
+++ b/SOURCES/edk2-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch
@@ -0,0 +1,55 @@
+From 6526e99a9e71d45f1ed69d95ff0dd75066a093f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:34 +0200
+Subject: [PATCH 16/19] ArmVirtPkg: Remove HttpDynamicCommand from shell (RHEL
+ only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [16/19] 07a74f1fdcdbb9a31d25ce9760edcd852e9574c3
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the command to download files in the shell via HTTP(S).
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ArmVirtPkg/ArmVirt.dsc.inc | 4 ----
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 -
+ 2 files changed, 5 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
+index 012050147e..98ff6a6f87 100644
+--- a/ArmVirtPkg/ArmVirt.dsc.inc
++++ b/ArmVirtPkg/ArmVirt.dsc.inc
+@@ -378,10 +378,6 @@
+ #
+ # UEFI application (Shell Embedded Boot Loader)
+ #
+- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
+- <PcdsFixedAtBuild>
+- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+- }
+ OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
+ <PcdsFixedAtBuild>
+ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 4a26071397..5db1918159 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -101,7 +101,6 @@ READ_LOCK_STATUS = TRUE
+ # UEFI application (Shell Embedded Boot Loader)
+ #
+ INF ShellPkg/Application/Shell/Shell.inf
+- INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+
+ #
+--
+2.27.0
+
diff --git a/SOURCES/edk2-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch b/SOURCES/edk2-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch
new file mode 100644
index 0000000..ba647d9
--- /dev/null
+++ b/SOURCES/edk2-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch
@@ -0,0 +1,56 @@
+From de1c2b8b944701c789477246ecad73708afe1ae6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:46 +0200
+Subject: [PATCH 18/19] ArmVirtPkg: Remove LinuxInitrdDynamicShellCommand (RHEL
+ only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [18/19] 8f4e4007108462533e3d2050b84d8830073a7c0d
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the command to register a file in the shell as the initial
+ramdisk for a UEFI stubbed kernel, to be booted next.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ArmVirtPkg/ArmVirt.dsc.inc | 4 ----
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 -
+ 2 files changed, 5 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
+index 98ff6a6f87..f2b6b6bce8 100644
+--- a/ArmVirtPkg/ArmVirt.dsc.inc
++++ b/ArmVirtPkg/ArmVirt.dsc.inc
+@@ -378,10 +378,6 @@
+ #
+ # UEFI application (Shell Embedded Boot Loader)
+ #
+- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
+- <PcdsFixedAtBuild>
+- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+- }
+ ShellPkg/Application/Shell/Shell.inf {
+ <LibraryClasses>
+ ShellCommandLib|ShellPkg/Library/UefiShellCommandLib/UefiShellCommandLib.inf
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 5db1918159..ea2d4cbe87 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -101,7 +101,6 @@ READ_LOCK_STATUS = TRUE
+ # UEFI application (Shell Embedded Boot Loader)
+ #
+ INF ShellPkg/Application/Shell/Shell.inf
+- INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+
+ #
+ # Bds
+--
+2.27.0
+
diff --git a/SOURCES/edk2-ArmVirtPkg-Remove-NvmExpressDxe-device-driver-RHEL-o.patch b/SOURCES/edk2-ArmVirtPkg-Remove-NvmExpressDxe-device-driver-RHEL-o.patch
new file mode 100644
index 0000000..8dfe018
--- /dev/null
+++ b/SOURCES/edk2-ArmVirtPkg-Remove-NvmExpressDxe-device-driver-RHEL-o.patch
@@ -0,0 +1,77 @@
+From aa4142400a322fa9ee46ad33e8bc25c99388d349 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:10 +0200
+Subject: [PATCH 08/19] ArmVirtPkg: Remove NvmExpressDxe device driver (RHEL
+ only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [8/19] d07dd11cb7a59c5af361ff5f801b7cfe421bce14
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+There is no real known use case for the NVME driver.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 5 -----
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 5 -----
+ ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 -----
+ 3 files changed, 15 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 031edc3a7f..b6fdcb3612 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -471,11 +471,6 @@
+ MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+
+- #
+- # NVME Driver
+- #
+- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
+-
+ #
+ # SMBIOS Support
+ #
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index fbb86af5a8..5418cde2e1 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -130,11 +130,6 @@ READ_LOCK_STATUS = TRUE
+ INF MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+ INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+
+- #
+- # NVME Driver
+- #
+- INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
+-
+ #
+ # SMBIOS Support
+ #
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index 9810fa5817..af0484d841 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -401,11 +401,6 @@
+ MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+
+- #
+- # NVME Driver
+- #
+- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
+-
+ #
+ # SMBIOS Support
+ #
+--
+2.27.0
+
diff --git a/SOURCES/edk2-ArmVirtPkg-Remove-QemuRamfbDxe-display-device-driver.patch b/SOURCES/edk2-ArmVirtPkg-Remove-QemuRamfbDxe-display-device-driver.patch
new file mode 100644
index 0000000..6ac3546
--- /dev/null
+++ b/SOURCES/edk2-ArmVirtPkg-Remove-QemuRamfbDxe-display-device-driver.patch
@@ -0,0 +1,72 @@
+From e80cc71e0692102a975e9c4d4f8810374a6e8bf0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:02 +0200
+Subject: [PATCH 06/19] ArmVirtPkg: Remove QemuRamfbDxe display device driver
+ (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [6/19] 4e08ed3eb98f0901ae033d76c12b62d89f67f6e7
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+The ramfb display device driver is only potentially needed for
+aarch64 Windows guests, which are not supported by RHEL.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 4 ----
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 -
+ ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ----
+ 3 files changed, 9 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index d2a2fdac8e..031edc3a7f 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -504,10 +504,6 @@
+ #
+ # Video support
+ #
+- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+- <PcdsFixedAtBuild>
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF
+- }
+ OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ OvmfPkg/PlatformDxe/Platform.inf
+
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 0ba57fe687..fbb86af5a8 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -164,7 +164,6 @@ READ_LOCK_STATUS = TRUE
+ #
+ # Video support
+ #
+- INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+ INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ INF OvmfPkg/PlatformDxe/Platform.inf
+
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index 7e50ce8b3b..9810fa5817 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -434,10 +434,6 @@
+ #
+ # Video support
+ #
+- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+- <PcdsFixedAtBuild>
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF
+- }
+ OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ OvmfPkg/PlatformDxe/Platform.inf
+
+--
+2.27.0
+
diff --git a/SOURCES/edk2-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch b/SOURCES/edk2-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch
new file mode 100644
index 0000000..e9edf2b
--- /dev/null
+++ b/SOURCES/edk2-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch
@@ -0,0 +1,55 @@
+From 1c009e878f32c2774db7493069335945ea51a9b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:28 +0200
+Subject: [PATCH 14/19] ArmVirtPkg: Remove TftpDynamicCommand from shell (RHEL
+ only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [14/19] 12436014941bd4a7c99a26d779ebdcd75f169403
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the command to download files in the shell via TFTP.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ArmVirtPkg/ArmVirt.dsc.inc | 4 ----
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 -
+ 2 files changed, 5 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
+index 505e895db7..012050147e 100644
+--- a/ArmVirtPkg/ArmVirt.dsc.inc
++++ b/ArmVirtPkg/ArmVirt.dsc.inc
+@@ -378,10 +378,6 @@
+ #
+ # UEFI application (Shell Embedded Boot Loader)
+ #
+- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf {
+- <PcdsFixedAtBuild>
+- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+- }
+ ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
+ <PcdsFixedAtBuild>
+ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index a6d5c35649..4a26071397 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -101,7 +101,6 @@ READ_LOCK_STATUS = TRUE
+ # UEFI application (Shell Embedded Boot Loader)
+ #
+ INF ShellPkg/Application/Shell/Shell.inf
+- INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+ INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+
+--
+2.27.0
+
diff --git a/SOURCES/edk2-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch b/SOURCES/edk2-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch
new file mode 100644
index 0000000..ccd0aaa
--- /dev/null
+++ b/SOURCES/edk2-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch
@@ -0,0 +1,64 @@
+From 16ea5dcae2f8064bfb2c24109f48c87dfc5c0823 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:22 +0200
+Subject: [PATCH 12/19] ArmVirtPkg: Remove UdfDxe filesystem driver (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [12/19] fcadb6a747b65e4d449d48131c9a2eeed4bd3c9a
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the UDF driver.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 1 -
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 -
+ ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 -
+ 3 files changed, 3 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 1b35b84b72..2d40132431 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -424,7 +424,6 @@
+ MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+ FatPkg/EnhancedFatDxe/Fat.inf
+- MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+
+ #
+ # Bds
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 87c0c42085..a6d5c35649 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -83,7 +83,6 @@ READ_LOCK_STATUS = TRUE
+ INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+ INF FatPkg/EnhancedFatDxe/Fat.inf
+ INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+- INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+
+ #
+ # Status Code Routing
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index a8a8525b1f..fa98d8ff50 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -354,7 +354,6 @@
+ MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+ FatPkg/EnhancedFatDxe/Fat.inf
+- MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+
+ #
+ # Bds
+--
+2.27.0
+
diff --git a/SOURCES/edk2-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch b/SOURCES/edk2-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch
new file mode 100644
index 0000000..62a8aa2
--- /dev/null
+++ b/SOURCES/edk2-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch
@@ -0,0 +1,65 @@
+From 55ddaceab730853aa40f842501cf5f1bb1d3220a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:16 +0200
+Subject: [PATCH 10/19] ArmVirtPkg: Remove VirtioFsDxe filesystem driver (RHEL
+ only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [10/19] 808ad4385c24fbf34fb0ba359808e6d364e1d030
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the virtio-fs driver.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 1 -
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 -
+ ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 -
+ 3 files changed, 3 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index b6fdcb3612..1b35b84b72 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -425,7 +425,6 @@
+ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+ FatPkg/EnhancedFatDxe/Fat.inf
+ MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+- OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+
+ #
+ # Bds
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 5418cde2e1..87c0c42085 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -84,7 +84,6 @@ READ_LOCK_STATUS = TRUE
+ INF FatPkg/EnhancedFatDxe/Fat.inf
+ INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+ INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+- INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+
+ #
+ # Status Code Routing
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index af0484d841..a8a8525b1f 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -355,7 +355,6 @@
+ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+ FatPkg/EnhancedFatDxe/Fat.inf
+ MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+- OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+
+ #
+ # Bds
+--
+2.27.0
+
diff --git a/SOURCES/edk2-MdeModulePkg-PartitionDxe-Ignore-PMBR-BootIndicator-.patch b/SOURCES/edk2-MdeModulePkg-PartitionDxe-Ignore-PMBR-BootIndicator-.patch
new file mode 100644
index 0000000..f978260
--- /dev/null
+++ b/SOURCES/edk2-MdeModulePkg-PartitionDxe-Ignore-PMBR-BootIndicator-.patch
@@ -0,0 +1,74 @@
+From e02e989ebff6caef4efbb91bc34b242a3bbed9d7 Mon Sep 17 00:00:00 2001
+From: Neal Gompa <ngompa@fedoraproject.org>
+Date: Mon, 5 Jul 2021 05:36:03 -0400
+Subject: [PATCH] MdeModulePkg/PartitionDxe: Ignore PMBR BootIndicator per UEFI
+ spec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 6: MdeModulePkg/PartitionDxe: Ignore PMBR BootIndicator per UEFI spec [RHEL-9, c9s]
+RH-Commit: [1/1] b06df986d8e0cd0dab6e4234801c330b4d26e7db
+RH-Bugzilla: 1988760
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+Per UEFI Spec 2.8 (UEFI_Spec_2_8_final.pdf, page 114)
+5.2.3 Protective MBR
+Table 20. Protective MBR Partition Record protecting the entire disk
+
+The description for BootIndicator states the following:
+
+> Set to 0x00 to indicate a non-bootable partition. If set to any
+> value other than 0x00 the behavior of this flag on non-UEFI
+> systems is undefined. Must be ignored by UEFI implementations.
+
+Unfortunately, we have been incorrectly assuming that the
+BootIndicator value must be 0x00, which leads to problems
+when the 'pmbr_boot' flag is set on a disk containing a GPT
+(such as with GNU parted). When the flag is set, the value
+changes to 0x01, causing this check to fail and the system
+is rendered unbootable despite it being valid from the
+perspective of the UEFI spec.
+
+To resolve this, we drop the check for the BootIndicator
+so that we stop caring about the value set there, which
+restores the capability to boot such disks.
+
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3474
+
+Cc: Chris Murphy <chrismurphy@fedoraproject.org>
+Cc: David Duncan <davdunc@amazon.com>
+Cc: Lazlo Ersek <lersek@redhat.com>
+Cc: Hao A Wu <hao.a.wu@intel.com>
+Cc: Ray Ni <ray.ni@intel.com>
+Cc: Zhichao Gao <zhichao.gao@intel.com>
+
+Signed-off-by: Neal Gompa <ngompa@fedoraproject.org>
+Message-Id: <20210705093603.575707-1-ngompa@fedoraproject.org>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Hao A Wu <hao.a.wu@intel.com>
+(cherry picked from commit b3db0cb1f8d163f22b769c205c6347376a315dcd)
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
+index aefb2d6ecb..efaff5e080 100644
+--- a/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
++++ b/MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
+@@ -264,8 +264,7 @@ PartitionInstallGptChildHandles (
+ // Verify that the Protective MBR is valid
+ //
+ for (Index = 0; Index < MAX_MBR_PARTITIONS; Index++) {
+- if (ProtectiveMbr->Partition[Index].BootIndicator == 0x00 &&
+- ProtectiveMbr->Partition[Index].OSIndicator == PMBR_GPT_PARTITION &&
++ if (ProtectiveMbr->Partition[Index].OSIndicator == PMBR_GPT_PARTITION &&
+ UNPACK_UINT32 (ProtectiveMbr->Partition[Index].StartingLBA) == 1
+ ) {
+ break;
+--
+2.27.0
+
diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch
new file mode 100644
index 0000000..deb0bf6
--- /dev/null
+++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch
@@ -0,0 +1,96 @@
+From 713a76945fb7962d97be9c0f8a54a32da5f683d2 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:55 +0200
+Subject: [PATCH 06/11] NetworkPkg/IScsiDxe: assert that IScsiBinToHex() always
+ succeeds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek <lersek@redhat.com>
+RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
+RH-Commit: [6/10] f75dedb1034e5feb5fd268c99184d3e392ef9beb
+RH-Bugzilla: 1961100
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+IScsiBinToHex() is called for encoding:
+
+- the answer to the target's challenge; that is, CHAP_R;
+
+- the challenge for the target, in case mutual authentication is enabled;
+ that is, CHAP_C.
+
+The initiator controls the size of both blobs, the sizes of their hex
+encodings are correctly calculated in "RspLen" and "ChallengeLen".
+Therefore the IScsiBinToHex() calls never fail; assert that.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Message-Id: <20210608121259.32451-7-lersek@redhat.com>
+(cherry picked from commit d90fff40cb2502b627370a77f5608c8a178c3f78)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiCHAP.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+index 9e192ce292..dbe3c8ef46 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+@@ -391,6 +391,7 @@ IScsiCHAPToSendReq (
+ UINT32 RspLen;
+ CHAR8 *Challenge;
+ UINT32 ChallengeLen;
++ EFI_STATUS BinToHexStatus;
+
+ ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);
+
+@@ -471,12 +472,13 @@ IScsiCHAPToSendReq (
+ //
+ // CHAP_R=<R>
+ //
+- IScsiBinToHex (
+- (UINT8 *) AuthData->CHAPResponse,
+- ISCSI_CHAP_RSP_LEN,
+- Response,
+- &RspLen
+- );
++ BinToHexStatus = IScsiBinToHex (
++ (UINT8 *) AuthData->CHAPResponse,
++ ISCSI_CHAP_RSP_LEN,
++ Response,
++ &RspLen
++ );
++ ASSERT_EFI_ERROR (BinToHexStatus);
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);
+
+ if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {
+@@ -490,12 +492,13 @@ IScsiCHAPToSendReq (
+ // CHAP_C=<C>
+ //
+ IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
+- IScsiBinToHex (
+- (UINT8 *) AuthData->OutChallenge,
+- ISCSI_CHAP_RSP_LEN,
+- Challenge,
+- &ChallengeLen
+- );
++ BinToHexStatus = IScsiBinToHex (
++ (UINT8 *) AuthData->OutChallenge,
++ ISCSI_CHAP_RSP_LEN,
++ Challenge,
++ &ChallengeLen
++ );
++ ASSERT_EFI_ERROR (BinToHexStatus);
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);
+
+ Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;
+--
+2.27.0
+
diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
new file mode 100644
index 0000000..52fc46c
--- /dev/null
+++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
@@ -0,0 +1,92 @@
+From de86f03cd7ed849ff62b1591c5fd34aeb1792887 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:59 +0200
+Subject: [PATCH 10/11] NetworkPkg/IScsiDxe: check IScsiHexToBin() return
+ values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek <lersek@redhat.com>
+RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
+RH-Commit: [10/10] 840f483839ce598396bb6db8ec1f0f50689b8215
+RH-Bugzilla: 1961100
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+IScsiDxe (that is, the initiator) receives two hex-encoded strings from
+the iSCSI target:
+
+- CHAP_C, where the target challenges the initiator,
+
+- CHAP_R, where the target answers the challenge from the initiator (in
+ case the initiator wants mutual authentication).
+
+Accordingly, we have two IScsiHexToBin() call sites:
+
+- At the CHAP_C decoding site, check whether the decoding succeeds. The
+ decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes,
+ which is a permissible restriction on the target, per
+ <https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges
+ from the target are acceptable.
+
+- At the CHAP_R decoding site, enforce that the decoding both succeed, and
+ provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest
+ calculated by the target, therefore it must be of fixed size. We may
+ only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Message-Id: <20210608121259.32451-11-lersek@redhat.com>
+(cherry picked from commit b8649cf2a3e673a4a8cb6c255e394b354b771550)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+index dbe3c8ef46..7e930c0d1e 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived (
+
+ AuthData->InIdentifier = (UINT32) Result;
+ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
+- IScsiHexToBin (
+- (UINT8 *) AuthData->InChallenge,
+- &AuthData->InChallengeLength,
+- Challenge
+- );
++ Status = IScsiHexToBin (
++ (UINT8 *) AuthData->InChallenge,
++ &AuthData->InChallengeLength,
++ Challenge
++ );
++ if (EFI_ERROR (Status)) {
++ Status = EFI_PROTOCOL_ERROR;
++ goto ON_EXIT;
++ }
+ Status = IScsiCHAPCalculateResponse (
+ AuthData->InIdentifier,
+ AuthData->AuthConfig->CHAPSecret,
+@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived (
+ }
+
+ RspLen = ISCSI_CHAP_RSP_LEN;
+- IScsiHexToBin (TargetRsp, &RspLen, Response);
++ Status = IScsiHexToBin (TargetRsp, &RspLen, Response);
++ if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {
++ Status = EFI_PROTOCOL_ERROR;
++ goto ON_EXIT;
++ }
+
+ //
+ // Check the CHAP Name and Response replied by Target.
+--
+2.27.0
+
diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch
new file mode 100644
index 0000000..e4dd7fc
--- /dev/null
+++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch
@@ -0,0 +1,103 @@
+From 4524b42b1cdf042d348c0070984428ec95ba96ec Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:52 +0200
+Subject: [PATCH 03/11] NetworkPkg/IScsiDxe: clean up
+ "ISCSI_CHAP_AUTH_DATA.OutChallengeLength"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek <lersek@redhat.com>
+RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
+RH-Commit: [3/10] 10e4f6de005e7fd67eb3a0d266c9bc95b2df648c
+RH-Bugzilla: 1961100
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+The "ISCSI_CHAP_AUTH_DATA.OutChallenge" field is declared as a UINT8 array
+with ISCSI_CHAP_AUTH_MAX_LEN (1024) elements. However, when the challenge
+is generated and formatted, only ISCSI_CHAP_RSP_LEN (16) octets are used
+in the array.
+
+Change the array size to ISCSI_CHAP_RSP_LEN, and remove the (now unused)
+ISCSI_CHAP_AUTH_MAX_LEN macro.
+
+Remove the "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" field, which is
+superfluous too.
+
+Most importantly, explain in a new comment *why* tying the challenge size
+to the digest size (ISCSI_CHAP_RSP_LEN) has always made sense. (See also
+Linux kernel commit 19f5f88ed779, "scsi: target: iscsi: tie the challenge
+length to the hash digest size", 2019-11-06.) For sure, the motivation
+that the new comment now explains has always been there, and has always
+been the same, for IScsiDxe; it's just that now we spell it out too.
+
+No change in peer-visible behavior.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Message-Id: <20210608121259.32451-4-lersek@redhat.com>
+(cherry picked from commit 95616b866187b00355042953efa5c198df07250f)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiCHAP.c | 3 +--
+ NetworkPkg/IScsiDxe/IScsiCHAP.h | 9 ++++++---
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+index df3c2eb120..9e192ce292 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+@@ -122,7 +122,7 @@ IScsiCHAPAuthTarget (
+ AuthData->AuthConfig->ReverseCHAPSecret,
+ SecretSize,
+ AuthData->OutChallenge,
+- AuthData->OutChallengeLength,
++ ISCSI_CHAP_RSP_LEN, // ChallengeLength
+ VerifyRsp
+ );
+
+@@ -490,7 +490,6 @@ IScsiCHAPToSendReq (
+ // CHAP_C=<C>
+ //
+ IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
+- AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;
+ IScsiBinToHex (
+ (UINT8 *) AuthData->OutChallenge,
+ ISCSI_CHAP_RSP_LEN,
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
+index 1fc1d96ea3..35d5d6ec29 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
+@@ -19,7 +19,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ #define ISCSI_CHAP_ALGORITHM_MD5 5
+
+-#define ISCSI_CHAP_AUTH_MAX_LEN 1024
+ ///
+ /// MD5_HASHSIZE
+ ///
+@@ -59,9 +58,13 @@ typedef struct _ISCSI_CHAP_AUTH_DATA {
+ //
+ // Auth-data to be sent out for mutual authentication.
+ //
++ // While the challenge size is technically independent of the hashing
++ // algorithm, it is good practice to avoid hashing *fewer bytes* than the
++ // digest size. In other words, it's good practice to feed *at least as many
++ // bytes* to the hashing algorithm as the hashing algorithm will output.
++ //
+ UINT32 OutIdentifier;
+- UINT8 OutChallenge[ISCSI_CHAP_AUTH_MAX_LEN];
+- UINT32 OutChallengeLength;
++ UINT8 OutChallenge[ISCSI_CHAP_RSP_LEN];
+ } ISCSI_CHAP_AUTH_DATA;
+
+ /**
+--
+2.27.0
+
diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch
new file mode 100644
index 0000000..c55de16
--- /dev/null
+++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch
@@ -0,0 +1,102 @@
+From 26388852ad953a169f29b24277674c53f878ffe3 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:53 +0200
+Subject: [PATCH 04/11] NetworkPkg/IScsiDxe: clean up library class
+ dependencies
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek <lersek@redhat.com>
+RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
+RH-Commit: [4/10] c468615c009bfd43f68f93fd9c1dc0e5b8615563
+RH-Bugzilla: 1961100
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Sort the library class dependencies in the #include directives and in the
+INF file. Remove the DpcLib class from the #include directives -- it is
+not listed in the INF file, and IScsiDxe doesn't call either DpcLib API
+(QueueDpc(), DispatchDpc()). No functional changes.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Message-Id: <20210608121259.32451-5-lersek@redhat.com>
+(cherry picked from commit e8f28b09e63dfdbb4169969a43c65f86c44b035a)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiDxe.inf | 6 +++---
+ NetworkPkg/IScsiDxe/IScsiImpl.h | 17 ++++++++---------
+ 2 files changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf
+index 0ffb340ce0..543c408302 100644
+--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf
++++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf
+@@ -65,6 +65,7 @@
+ NetworkPkg/NetworkPkg.dec
+
+ [LibraryClasses]
++ BaseCryptLib
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+@@ -72,14 +73,13 @@
+ HiiLib
+ MemoryAllocationLib
+ NetLib
+- TcpIoLib
+ PrintLib
++ TcpIoLib
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
++ UefiHiiServicesLib
+ UefiLib
+ UefiRuntimeServicesTableLib
+- UefiHiiServicesLib
+- BaseCryptLib
+
+ [Protocols]
+ gEfiAcpiTableProtocolGuid ## SOMETIMES_CONSUMES ## SystemTable
+diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h
+index 387ab9765e..d895c7feb9 100644
+--- a/NetworkPkg/IScsiDxe/IScsiImpl.h
++++ b/NetworkPkg/IScsiDxe/IScsiImpl.h
+@@ -35,21 +35,20 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ #include <Protocol/AdapterInformation.h>
+ #include <Protocol/NetworkInterfaceIdentifier.h>
+
+-#include <Library/HiiLib.h>
+-#include <Library/UefiHiiServicesLib.h>
+-#include <Library/DevicePathLib.h>
+-#include <Library/DebugLib.h>
++#include <Library/BaseCryptLib.h>
+ #include <Library/BaseLib.h>
+ #include <Library/BaseMemoryLib.h>
++#include <Library/DebugLib.h>
++#include <Library/DevicePathLib.h>
++#include <Library/HiiLib.h>
+ #include <Library/MemoryAllocationLib.h>
++#include <Library/NetLib.h>
+ #include <Library/PrintLib.h>
++#include <Library/TcpIoLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+-#include <Library/UefiRuntimeServicesTableLib.h>
++#include <Library/UefiHiiServicesLib.h>
+ #include <Library/UefiLib.h>
+-#include <Library/DpcLib.h>
+-#include <Library/NetLib.h>
+-#include <Library/TcpIoLib.h>
+-#include <Library/BaseCryptLib.h>
++#include <Library/UefiRuntimeServicesTableLib.h>
+
+ #include <Guid/MdeModuleHii.h>
+ #include <Guid/EventGroup.h>
+--
+2.27.0
+
diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch
new file mode 100644
index 0000000..3d53f7a
--- /dev/null
+++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch
@@ -0,0 +1,114 @@
+From 5fb7ec7c442e3ca7ab27b2a66223345cb7411c87 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:58 +0200
+Subject: [PATCH 09/11] NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer
+ overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek <lersek@redhat.com>
+RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
+RH-Commit: [9/10] 91724ef3d2d9732ffe9328168a39d922d1baaa8b
+RH-Bugzilla: 1961100
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return
+condition, but never actually checks whether the decoded buffer fits into
+the caller-provided room (i.e., the input value of "BinLength"), and
+EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can
+overflow "BinBuffer".
+
+This is remotely exploitable, as shown in a subsequent patch, which adds
+error checking to the IScsiHexToBin() call sites. This issue allows the
+target to compromise the initiator.
+
+Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent
+EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow,
+plus actually catch the buffer overflow.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210608121259.32451-10-lersek@redhat.com>
+(cherry picked from commit 54e90edaed0d7c15230902ac4d74f4304bad2ebd)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiMisc.c | 20 +++++++++++++++++---
+ NetworkPkg/IScsiDxe/IScsiMisc.h | 3 +++
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
+index f0f4992b07..4069547867 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
+@@ -377,6 +377,9 @@ IScsiBinToHex (
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
++ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding:
++ the decoded size cannot be expressed in
++ BinLength on output.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
+ **/
+@@ -387,6 +390,8 @@ IScsiHexToBin (
+ IN CHAR8 *HexStr
+ )
+ {
++ UINTN BinLengthMin;
++ UINT32 BinLengthProvided;
+ UINTN Index;
+ UINTN Length;
+ UINT8 Digit;
+@@ -409,6 +414,18 @@ IScsiHexToBin (
+ if (Length == 0 || Length % 2 != 0) {
+ return EFI_INVALID_PARAMETER;
+ }
++ //
++ // Check if the caller provides enough room for the decoded blob.
++ //
++ BinLengthMin = Length / 2;
++ if (BinLengthMin > MAX_UINT32) {
++ return EFI_BAD_BUFFER_SIZE;
++ }
++ BinLengthProvided = *BinLength;
++ *BinLength = (UINT32)BinLengthMin;
++ if (BinLengthProvided < BinLengthMin) {
++ return EFI_BUFFER_TOO_SMALL;
++ }
+
+ for (Index = 0; Index < Length; Index ++) {
+ TemStr[0] = HexStr[Index];
+@@ -425,9 +442,6 @@ IScsiHexToBin (
+ BinBuffer [Index/2] = (UINT8) ((BinBuffer [Index/2] << 4) + Digit);
+ }
+ }
+-
+- *BinLength = (UINT32) ((Index + 1)/2);
+-
+ return EFI_SUCCESS;
+ }
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
+index 404a482e57..fddef4f466 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
+@@ -172,6 +172,9 @@ IScsiBinToHex (
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
++ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding:
++ the decoded size cannot be expressed in
++ BinLength on output.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
+ **/
+--
+2.27.0
+
diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch
new file mode 100644
index 0000000..1d0cdf3
--- /dev/null
+++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch
@@ -0,0 +1,105 @@
+From b0b03cadbee4f8560e4eb284b8d12a5ccc697281 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:57 +0200
+Subject: [PATCH 08/11] NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek <lersek@redhat.com>
+RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
+RH-Commit: [8/10] d336a24538fe8b4a53f7fd249ae94cd2c3c22cb5
+RH-Bugzilla: 1961100
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+The IScsiHexToBin() function has the following parser issues:
+
+(1) If the *subject sequence* in "HexStr" is empty, the function returns
+ EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should
+ be rejected.
+
+(2) The function mis-handles a "HexStr" that ends with a stray nibble. For
+ example, if "HexStr" is "0xABC", the function decodes it to the bytes
+ {0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns
+ EFI_SUCCESS. Such inputs should be rejected.
+
+(3) If an invalid hex char is found in "HexStr", the function treats it as
+ end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be
+ rejected.
+
+All of the above cases are remotely triggerable, as shown in a subsequent
+patch, which adds error checking to the IScsiHexToBin() call sites. While
+the initiator is not immediately compromised, incorrectly parsing CHAP_R
+from the target, in case of mutual authentication, is not great.
+
+Extend the interface contract of IScsiHexToBin() with
+EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement
+the new checks.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210608121259.32451-9-lersek@redhat.com>
+(cherry picked from commit 47b76780b487dbfde4efb6843b16064c4a97e94d)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiMisc.c | 12 ++++++++++--
+ NetworkPkg/IScsiDxe/IScsiMisc.h | 1 +
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
+index 014700e87a..f0f4992b07 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
+@@ -376,6 +376,7 @@ IScsiBinToHex (
+
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
++ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
+ **/
+@@ -402,14 +403,21 @@ IScsiHexToBin (
+
+ Length = AsciiStrLen (HexStr);
+
++ //
++ // Reject an empty hex string; reject a stray nibble.
++ //
++ if (Length == 0 || Length % 2 != 0) {
++ return EFI_INVALID_PARAMETER;
++ }
++
+ for (Index = 0; Index < Length; Index ++) {
+ TemStr[0] = HexStr[Index];
+ Digit = (UINT8) AsciiStrHexToUint64 (TemStr);
+ if (Digit == 0 && TemStr[0] != '0') {
+ //
+- // Invalid Lun Char.
++ // Invalid Hex Char.
+ //
+- break;
++ return EFI_INVALID_PARAMETER;
+ }
+ if ((Index & 1) == 0) {
+ BinBuffer [Index/2] = Digit;
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
+index 28cf408cd5..404a482e57 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
+@@ -171,6 +171,7 @@ IScsiBinToHex (
+
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
++ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
+ **/
+--
+2.27.0
+
diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch
new file mode 100644
index 0000000..0464b51
--- /dev/null
+++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch
@@ -0,0 +1,155 @@
+From 67474c22010ba8c7c240d8e02b2151c7d796171d Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:54 +0200
+Subject: [PATCH 05/11] NetworkPkg/IScsiDxe: fix potential integer overflow in
+ IScsiBinToHex()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek <lersek@redhat.com>
+RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
+RH-Commit: [5/10] 3d7a886c1f73d811ef47381e4d6a82683ab0900e
+RH-Bugzilla: 1961100
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Considering IScsiBinToHex():
+
+> if (((*HexLength) - 3) < BinLength * 2) {
+> *HexLength = BinLength * 2 + 3;
+> }
+
+the following subexpressions are problematic:
+
+ (*HexLength) - 3
+ BinLength * 2
+ BinLength * 2 + 3
+
+The first one may wrap under zero, the latter two may wrap over
+MAX_UINT32.
+
+Rewrite the calculation using SafeIntLib.
+
+While at it, change the type of the "Index" variable from UINTN to UINT32.
+The largest "Index"-based value that we calculate is
+
+ Index * 2 + 2 (with (Index == BinLength))
+
+Because the patch makes
+
+ BinLength * 2 + 3
+
+safe to calculate in UINT32, using UINT32 for
+
+ Index * 2 + 2 (with (Index == BinLength))
+
+is safe too. Consistently using UINT32 improves readability.
+
+This patch is best reviewed with "git show -W".
+
+The integer overflows that this patch fixes are theoretical; a subsequent
+patch in the series will audit the IScsiBinToHex() call sites, and show
+that none of them can fail.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210608121259.32451-6-lersek@redhat.com>
+(cherry picked from commit cf01b2dc8fc3ff9cf49fb891af5703dc03e3193e)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiDxe.inf | 1 +
+ NetworkPkg/IScsiDxe/IScsiImpl.h | 1 +
+ NetworkPkg/IScsiDxe/IScsiMisc.c | 19 +++++++++++++++----
+ NetworkPkg/IScsiDxe/IScsiMisc.h | 1 +
+ 4 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf
+index 543c408302..1dde56d00c 100644
+--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf
++++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf
+@@ -74,6 +74,7 @@
+ MemoryAllocationLib
+ NetLib
+ PrintLib
++ SafeIntLib
+ TcpIoLib
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
+diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h
+index d895c7feb9..ac3a25730e 100644
+--- a/NetworkPkg/IScsiDxe/IScsiImpl.h
++++ b/NetworkPkg/IScsiDxe/IScsiImpl.h
+@@ -44,6 +44,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ #include <Library/MemoryAllocationLib.h>
+ #include <Library/NetLib.h>
+ #include <Library/PrintLib.h>
++#include <Library/SafeIntLib.h>
+ #include <Library/TcpIoLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+ #include <Library/UefiHiiServicesLib.h>
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
+index b8fef3ff6f..42988e15cb 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
+@@ -316,6 +316,7 @@ IScsiMacAddrToStr (
+ @retval EFI_SUCCESS The binary data is converted to the hexadecimal string
+ and the length of the string is updated.
+ @retval EFI_BUFFER_TOO_SMALL The string is too small.
++ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding.
+ @retval EFI_INVALID_PARAMETER The IP string is malformatted.
+
+ **/
+@@ -327,18 +328,28 @@ IScsiBinToHex (
+ IN OUT UINT32 *HexLength
+ )
+ {
+- UINTN Index;
++ UINT32 HexLengthMin;
++ UINT32 HexLengthProvided;
++ UINT32 Index;
+
+ if ((HexStr == NULL) || (BinBuffer == NULL) || (BinLength == 0)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+- if (((*HexLength) - 3) < BinLength * 2) {
+- *HexLength = BinLength * 2 + 3;
++ //
++ // Safely calculate: HexLengthMin := BinLength * 2 + 3.
++ //
++ if (RETURN_ERROR (SafeUint32Mult (BinLength, 2, &HexLengthMin)) ||
++ RETURN_ERROR (SafeUint32Add (HexLengthMin, 3, &HexLengthMin))) {
++ return EFI_BAD_BUFFER_SIZE;
++ }
++
++ HexLengthProvided = *HexLength;
++ *HexLength = HexLengthMin;
++ if (HexLengthProvided < HexLengthMin) {
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+- *HexLength = BinLength * 2 + 3;
+ //
+ // Prefix for Hex String.
+ //
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
+index 46c725aab3..231413993b 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
+@@ -150,6 +150,7 @@ IScsiAsciiStrToIp (
+ @retval EFI_SUCCESS The binary data is converted to the hexadecimal string
+ and the length of the string is updated.
+ @retval EFI_BUFFER_TOO_SMALL The string is too small.
++ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding.
+ @retval EFI_INVALID_PARAMETER The IP string is malformatted.
+
+ **/
+--
+2.27.0
+
diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch
new file mode 100644
index 0000000..3290626
--- /dev/null
+++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch
@@ -0,0 +1,94 @@
+From 618ba71beb3f848660c8c95187d92f2c8f277143 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:56 +0200
+Subject: [PATCH 07/11] NetworkPkg/IScsiDxe: reformat IScsiHexToBin() leading
+ comment block
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek <lersek@redhat.com>
+RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
+RH-Commit: [7/10] ea7e41e567759e461777094ae2049a29eb5c3826
+RH-Bugzilla: 1961100
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+We'll need further return values for IScsiHexToBin() in a subsequent
+patch; make room for them in the leading comment block of the function.
+While at it, rewrap the comment block to 80 characters width.
+
+No functional changes.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210608121259.32451-8-lersek@redhat.com>
+(cherry picked from commit dc469f137110fe79704b8b92c552972c739bb915)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiMisc.c | 16 ++++++++--------
+ NetworkPkg/IScsiDxe/IScsiMisc.h | 16 ++++++++--------
+ 2 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
+index 42988e15cb..014700e87a 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
+@@ -370,14 +370,14 @@ IScsiBinToHex (
+ /**
+ Convert the hexadecimal string into a binary encoded buffer.
+
+- @param[in, out] BinBuffer The binary buffer.
+- @param[in, out] BinLength Length of the binary buffer.
+- @param[in] HexStr The hexadecimal string.
+-
+- @retval EFI_SUCCESS The hexadecimal string is converted into a binary
+- encoded buffer.
+- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.
+-
++ @param[in, out] BinBuffer The binary buffer.
++ @param[in, out] BinLength Length of the binary buffer.
++ @param[in] HexStr The hexadecimal string.
++
++ @retval EFI_SUCCESS The hexadecimal string is converted into a
++ binary encoded buffer.
++ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
++ converted data.
+ **/
+ EFI_STATUS
+ IScsiHexToBin (
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
+index 231413993b..28cf408cd5 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
+@@ -165,14 +165,14 @@ IScsiBinToHex (
+ /**
+ Convert the hexadecimal string into a binary encoded buffer.
+
+- @param[in, out] BinBuffer The binary buffer.
+- @param[in, out] BinLength Length of the binary buffer.
+- @param[in] HexStr The hexadecimal string.
+-
+- @retval EFI_SUCCESS The hexadecimal string is converted into a binary
+- encoded buffer.
+- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.
+-
++ @param[in, out] BinBuffer The binary buffer.
++ @param[in, out] BinLength Length of the binary buffer.
++ @param[in] HexStr The hexadecimal string.
++
++ @retval EFI_SUCCESS The hexadecimal string is converted into a
++ binary encoded buffer.
++ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
++ converted data.
+ **/
+ EFI_STATUS
+ IScsiHexToBin (
+--
+2.27.0
+
diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch
new file mode 100644
index 0000000..b350b08
--- /dev/null
+++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch
@@ -0,0 +1,72 @@
+From 543362e185edf822b9832b1953e78548ab42a0c5 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:51 +0200
+Subject: [PATCH 02/11] NetworkPkg/IScsiDxe: simplify
+ "ISCSI_CHAP_AUTH_DATA.InChallenge" size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek <lersek@redhat.com>
+RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
+RH-Commit: [2/10] d1c332767a87d87274e5ff68cb0c0f630ec095e1
+RH-Bugzilla: 1961100
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+The ISCSI_CHAP_AUTH_MAX_LEN macro is defined with value 1024.
+
+The usage of this macro currently involves a semantic (not functional)
+bug, which we're going to fix in a subsequent patch, eliminating
+ISCSI_CHAP_AUTH_MAX_LEN altogether.
+
+For now, remove the macro's usage from all
+"ISCSI_CHAP_AUTH_DATA.InChallenge" contexts. This is doable without
+duplicating open-coded constants.
+
+No changes in functionality.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Message-Id: <20210608121259.32451-3-lersek@redhat.com>
+(cherry picked from commit 29cab43bb7912a12efa5a78dac15394aee866e4c)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiCHAP.c | 2 +-
+ NetworkPkg/IScsiDxe/IScsiCHAP.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+index cbbc56ae5b..df3c2eb120 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+@@ -289,7 +289,7 @@ IScsiCHAPOnRspReceived (
+ }
+
+ AuthData->InIdentifier = (UINT32) Result;
+- AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;
++ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
+ IScsiHexToBin (
+ (UINT8 *) AuthData->InChallenge,
+ &AuthData->InChallengeLength,
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
+index 5e59fb678b..1fc1d96ea3 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
+@@ -49,7 +49,7 @@ typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA {
+ typedef struct _ISCSI_CHAP_AUTH_DATA {
+ ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig;
+ UINT32 InIdentifier;
+- UINT8 InChallenge[ISCSI_CHAP_AUTH_MAX_LEN];
++ UINT8 InChallenge[1024];
+ UINT32 InChallengeLength;
+ //
+ // Calculated CHAP Response (CHAP_R) value.
+--
+2.27.0
+
diff --git a/SOURCES/edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch b/SOURCES/edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch
new file mode 100644
index 0000000..206de1b
--- /dev/null
+++ b/SOURCES/edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch
@@ -0,0 +1,252 @@
+From 997b8a12436a433a451ef4595ccf4abb8d90dd04 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:50 +0200
+Subject: [PATCH 01/11] NetworkPkg/IScsiDxe: wrap IScsiCHAP source files to 80
+ characters
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek <lersek@redhat.com>
+RH-MergeRequest: 1: NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs [RHEL-9, c9s]
+RH-Commit: [1/10] a8d51743b8735749b53b0d0f8e665c42c4ea183c
+RH-Bugzilla: 1961100
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Working with overlong lines is difficult for me; rewrap the CHAP-related
+source files in IScsiDxe to 80 characters width. No functional changes.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210608121259.32451-2-lersek@redhat.com>
+(cherry picked from commit 83761337ec91fbd459c55d7d956fcc25df3bfa50)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiCHAP.c | 90 +++++++++++++++++++++++++--------
+ NetworkPkg/IScsiDxe/IScsiCHAP.h | 3 +-
+ 2 files changed, 71 insertions(+), 22 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+index 355c6f129f..cbbc56ae5b 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+@@ -1,5 +1,6 @@
+ /** @file
+- This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration.
++ This file is for Challenge-Handshake Authentication Protocol (CHAP)
++ Configuration.
+
+ Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+@@ -18,9 +19,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ @param[in] ChallengeLength The length of iSCSI CHAP challenge message.
+ @param[out] ChapResponse The calculation of the expected hash value.
+
+- @retval EFI_SUCCESS The expected hash value was calculatedly successfully.
+- @retval EFI_PROTOCOL_ERROR The length of the secret should be at least the
+- length of the hash value for the hashing algorithm chosen.
++ @retval EFI_SUCCESS The expected hash value was calculatedly
++ successfully.
++ @retval EFI_PROTOCOL_ERROR The length of the secret should be at least
++ the length of the hash value for the hashing
++ algorithm chosen.
+ @retval EFI_PROTOCOL_ERROR MD5 hash operation fail.
+ @retval EFI_OUT_OF_RESOURCES Fail to allocate resource to complete MD5.
+
+@@ -94,8 +97,10 @@ Exit:
+ @param[in] AuthData iSCSI CHAP authentication data.
+ @param[in] TargetResponse The response from target.
+
+- @retval EFI_SUCCESS The response from target passed authentication.
+- @retval EFI_SECURITY_VIOLATION The response from target was not expected value.
++ @retval EFI_SUCCESS The response from target passed
++ authentication.
++ @retval EFI_SECURITY_VIOLATION The response from target was not expected
++ value.
+ @retval Others Other errors as indicated.
+
+ **/
+@@ -193,7 +198,10 @@ IScsiCHAPOnRspReceived (
+ //
+ // The first Login Response.
+ //
+- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_TARGET_PORTAL_GROUP_TAG);
++ Value = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_TARGET_PORTAL_GROUP_TAG
++ );
+ if (Value == NULL) {
+ goto ON_EXIT;
+ }
+@@ -205,13 +213,17 @@ IScsiCHAPOnRspReceived (
+
+ Session->TargetPortalGroupTag = (UINT16) Result;
+
+- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_AUTH_METHOD);
++ Value = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_AUTH_METHOD
++ );
+ if (Value == NULL) {
+ goto ON_EXIT;
+ }
+ //
+- // Initiator mandates CHAP authentication but target replies without "CHAP", or
+- // initiator suggets "None" but target replies with some kind of auth method.
++ // Initiator mandates CHAP authentication but target replies without
++ // "CHAP", or initiator suggets "None" but target replies with some kind of
++ // auth method.
+ //
+ if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) {
+ if (AsciiStrCmp (Value, ISCSI_KEY_VALUE_NONE) != 0) {
+@@ -236,7 +248,10 @@ IScsiCHAPOnRspReceived (
+ //
+ // The Target replies with CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>
+ //
+- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_ALGORITHM);
++ Value = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_CHAP_ALGORITHM
++ );
+ if (Value == NULL) {
+ goto ON_EXIT;
+ }
+@@ -249,12 +264,18 @@ IScsiCHAPOnRspReceived (
+ goto ON_EXIT;
+ }
+
+- Identifier = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER);
++ Identifier = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_CHAP_IDENTIFIER
++ );
+ if (Identifier == NULL) {
+ goto ON_EXIT;
+ }
+
+- Challenge = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_CHALLENGE);
++ Challenge = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_CHAP_CHALLENGE
++ );
+ if (Challenge == NULL) {
+ goto ON_EXIT;
+ }
+@@ -269,7 +290,11 @@ IScsiCHAPOnRspReceived (
+
+ AuthData->InIdentifier = (UINT32) Result;
+ AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;
+- IScsiHexToBin ((UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge);
++ IScsiHexToBin (
++ (UINT8 *) AuthData->InChallenge,
++ &AuthData->InChallengeLength,
++ Challenge
++ );
+ Status = IScsiCHAPCalculateResponse (
+ AuthData->InIdentifier,
+ AuthData->AuthConfig->CHAPSecret,
+@@ -303,7 +328,10 @@ IScsiCHAPOnRspReceived (
+ goto ON_EXIT;
+ }
+
+- Response = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_RESPONSE);
++ Response = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_CHAP_RESPONSE
++ );
+ if (Response == NULL) {
+ goto ON_EXIT;
+ }
+@@ -341,7 +369,8 @@ ON_EXIT:
+ @param[in, out] Pdu The PDU to send out.
+
+ @retval EFI_SUCCESS All check passed and the phase-related CHAP
+- authentication info is filled into the iSCSI PDU.
++ authentication info is filled into the iSCSI
++ PDU.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
+ @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
+
+@@ -392,7 +421,11 @@ IScsiCHAPToSendReq (
+ // It's the initial Login Request. Fill in the key=value pairs mandatory
+ // for the initial Login Request.
+ //
+- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_INITIATOR_NAME, mPrivate->InitiatorName);
++ IScsiAddKeyValuePair (
++ Pdu,
++ ISCSI_KEY_INITIATOR_NAME,
++ mPrivate->InitiatorName
++ );
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal");
+ IScsiAddKeyValuePair (
+ Pdu,
+@@ -413,7 +446,8 @@ IScsiCHAPToSendReq (
+
+ case ISCSI_CHAP_STEP_ONE:
+ //
+- // First step, send the Login Request with CHAP_A=<A1,A2...> key-value pair.
++ // First step, send the Login Request with CHAP_A=<A1,A2...> key-value
++ // pair.
+ //
+ AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_MD5);
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr);
+@@ -429,11 +463,20 @@ IScsiCHAPToSendReq (
+ //
+ // CHAP_N=<N>
+ //
+- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig->CHAPName);
++ IScsiAddKeyValuePair (
++ Pdu,
++ ISCSI_KEY_CHAP_NAME,
++ (CHAR8 *) &AuthData->AuthConfig->CHAPName
++ );
+ //
+ // CHAP_R=<R>
+ //
+- IScsiBinToHex ((UINT8 *) AuthData->CHAPResponse, ISCSI_CHAP_RSP_LEN, Response, &RspLen);
++ IScsiBinToHex (
++ (UINT8 *) AuthData->CHAPResponse,
++ ISCSI_CHAP_RSP_LEN,
++ Response,
++ &RspLen
++ );
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);
+
+ if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {
+@@ -448,7 +491,12 @@ IScsiCHAPToSendReq (
+ //
+ IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
+ AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;
+- IScsiBinToHex ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN, Challenge, &ChallengeLen);
++ IScsiBinToHex (
++ (UINT8 *) AuthData->OutChallenge,
++ ISCSI_CHAP_RSP_LEN,
++ Challenge,
++ &ChallengeLen
++ );
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);
+
+ Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
+index 140bba0dcd..5e59fb678b 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
+@@ -88,7 +88,8 @@ IScsiCHAPOnRspReceived (
+ @param[in, out] Pdu The PDU to send out.
+
+ @retval EFI_SUCCESS All check passed and the phase-related CHAP
+- authentication info is filled into the iSCSI PDU.
++ authentication info is filled into the iSCSI
++ PDU.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
+ @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
+
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-Remove-EbcDxe-RHEL-only.patch b/SOURCES/edk2-OvmfPkg-Remove-EbcDxe-RHEL-only.patch
new file mode 100644
index 0000000..ee4c552
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-Remove-EbcDxe-RHEL-only.patch
@@ -0,0 +1,129 @@
+From a7434b6bac325dbb0c2e7c6f43678d5c6d9ac1f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:28:49 +0200
+Subject: [PATCH 02/19] OvmfPkg: Remove EbcDxe (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [2/19] 6777c3dc453e4aecddc20216f783ba2a5acccaa0
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove EFI Byte Code interpreter.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 1 -
+ OvmfPkg/AmdSev/AmdSevX64.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32.dsc | 1 -
+ OvmfPkg/OvmfPkgIa32.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc | 1 -
+ OvmfPkg/OvmfPkgIa32X64.fdf | 1 -
+ OvmfPkg/OvmfPkgX64.dsc | 1 -
+ OvmfPkg/OvmfPkgX64.fdf | 1 -
+ 8 files changed, 8 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 0ee34ac576..7ca368f667 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -667,7 +667,6 @@
+ !endif
+ }
+
+- MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ OvmfPkg/8259InterruptControllerDxe/8259.inf
+ UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+ UefiCpuPkg/CpuDxe/CpuDxe.inf
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index ee66b3d905..8af26d3989 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -194,7 +194,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+
+ INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
+ INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+-INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ INF OvmfPkg/8259InterruptControllerDxe/8259.inf
+ INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+ INF UefiCpuPkg/CpuDxe/CpuDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 76591cff94..634a4aa73d 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -750,7 +750,6 @@
+ !endif
+ }
+
+- MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ OvmfPkg/8259InterruptControllerDxe/8259.inf
+ UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+ UefiCpuPkg/CpuDxe/CpuDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 8c2256345c..4e36026061 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -210,7 +210,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+
+ INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
+ INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+-INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ INF OvmfPkg/8259InterruptControllerDxe/8259.inf
+ INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+ INF UefiCpuPkg/CpuDxe/CpuDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 14eb12dd5e..c3ce34870e 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -764,7 +764,6 @@
+ !endif
+ }
+
+- MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ OvmfPkg/8259InterruptControllerDxe/8259.inf
+ UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+ UefiCpuPkg/CpuDxe/CpuDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index e122f1c0d8..97e24ab104 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -211,7 +211,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+
+ INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
+ INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+-INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ INF OvmfPkg/8259InterruptControllerDxe/8259.inf
+ INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+ INF UefiCpuPkg/CpuDxe/CpuDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 48861db4dc..36d9b0943b 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -762,7 +762,6 @@
+ !endif
+ }
+
+- MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ OvmfPkg/8259InterruptControllerDxe/8259.inf
+ UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+ UefiCpuPkg/CpuDxe/CpuDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 0aef17a708..6d66e4d07e 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -223,7 +223,6 @@ INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+
+ INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
+ INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+-INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ INF OvmfPkg/8259InterruptControllerDxe/8259.inf
+ INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+ INF UefiCpuPkg/CpuDxe/CpuDxe.inf
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch b/SOURCES/edk2-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch
new file mode 100644
index 0000000..d60c534
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch
@@ -0,0 +1,113 @@
+From 2ca952f2964aa744846a08cb13252428e92b3952 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:31 +0200
+Subject: [PATCH 15/19] OvmfPkg: Remove HttpDynamicCommand from shell (RHEL
+ only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [15/19] 1911cf04f27467ef1175b1976864c1111d93d19e
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the command to download files in the shell via HTTP(S).
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/OvmfPkgIa32.dsc | 4 ----
+ OvmfPkg/OvmfPkgIa32.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc | 4 ----
+ OvmfPkg/OvmfPkgIa32X64.fdf | 1 -
+ OvmfPkg/OvmfPkgX64.dsc | 4 ----
+ OvmfPkg/OvmfPkgX64.fdf | 1 -
+ 6 files changed, 15 deletions(-)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index caa335bed5..d22b643161 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -907,10 +907,6 @@
+ !endif
+
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
+- <PcdsFixedAtBuild>
+- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+- }
+ OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
+ <PcdsFixedAtBuild>
+ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index a6d0645c3f..87afeb57a1 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -290,7 +290,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+-INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ INF ShellPkg/Application/Shell/Shell.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 52cc9edffc..d3e913d094 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -921,10 +921,6 @@
+ !endif
+
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
+- <PcdsFixedAtBuild>
+- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+- }
+ OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
+ <PcdsFixedAtBuild>
+ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 3fa5273f89..96e65fab46 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -291,7 +291,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+-INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ INF ShellPkg/Application/Shell/Shell.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 6e1d5409e3..13320b3aa9 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -919,10 +919,6 @@
+ !endif
+
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+- ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
+- <PcdsFixedAtBuild>
+- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+- }
+ OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
+ <PcdsFixedAtBuild>
+ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 1e332d2a73..b3dccaebd3 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -303,7 +303,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+-INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ INF ShellPkg/Application/Shell/Shell.inf
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch b/SOURCES/edk2-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch
new file mode 100644
index 0000000..48a2b5a
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch
@@ -0,0 +1,147 @@
+From 5f97a7d207dd52af15869726e9a628c3f9f1c5ff Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:39 +0200
+Subject: [PATCH 17/19] OvmfPkg: Remove LinuxInitrdDynamicShellCommand (RHEL
+ only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [17/19] 491fe1301ea29c7cb56c20272e45614d5fcb6f14
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the command to register a file in the shell as the
+initial ramdisk for a UEFI stubbed kernel, to be booted next.
+
+Note: as further dynamic shell commands might show up upstream,
+we intentionally preserve the empty !ifdef'ry context to ease
+future downstream rebases.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ----
+ OvmfPkg/AmdSev/AmdSevX64.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32.dsc | 4 ----
+ OvmfPkg/OvmfPkgIa32.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc | 4 ----
+ OvmfPkg/OvmfPkgIa32X64.fdf | 1 -
+ OvmfPkg/OvmfPkgX64.dsc | 4 ----
+ OvmfPkg/OvmfPkgX64.fdf | 1 -
+ 8 files changed, 20 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index a54a4e39e2..485c60dd36 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -783,10 +783,6 @@
+ MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+
+ !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
+- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
+- <PcdsFixedAtBuild>
+- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+- }
+ !endif
+ OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
+ OvmfPkg/AmdSev/Grub/Grub.inf
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index 89e35c5b19..1cf4d659d1 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -267,7 +267,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+ INF FatPkg/EnhancedFatDxe/Fat.inf
+
+ !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
+-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
+ INF OvmfPkg/AmdSev/Grub/Grub.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index d22b643161..f844c5f97c 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -907,10 +907,6 @@
+ !endif
+
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
+- <PcdsFixedAtBuild>
+- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+- }
+ !endif
+ ShellPkg/Application/Shell/Shell.inf {
+ <LibraryClasses>
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 87afeb57a1..f4a6829085 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -290,7 +290,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ INF ShellPkg/Application/Shell/Shell.inf
+ !endif
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index d3e913d094..b373c0d63a 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -921,10 +921,6 @@
+ !endif
+
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
+- <PcdsFixedAtBuild>
+- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+- }
+ !endif
+ ShellPkg/Application/Shell/Shell.inf {
+ <LibraryClasses>
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 96e65fab46..35692403d3 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -291,7 +291,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ INF ShellPkg/Application/Shell/Shell.inf
+ !endif
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 13320b3aa9..39e8e5b3c4 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -919,10 +919,6 @@
+ !endif
+
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+- OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
+- <PcdsFixedAtBuild>
+- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+- }
+ !endif
+ ShellPkg/Application/Shell/Shell.inf {
+ <LibraryClasses>
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index b3dccaebd3..a0c3c182f6 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -303,7 +303,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+-INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ INF ShellPkg/Application/Shell/Shell.inf
+ !endif
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-Remove-NvmExpressDxe-device-driver-RHEL-only.patch b/SOURCES/edk2-OvmfPkg-Remove-NvmExpressDxe-device-driver-RHEL-only.patch
new file mode 100644
index 0000000..a327e9a
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-Remove-NvmExpressDxe-device-driver-RHEL-only.patch
@@ -0,0 +1,141 @@
+From 69b32fefaabd83aaea663cc493fbf894d94d9c0c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:06 +0200
+Subject: [PATCH 07/19] OvmfPkg: Remove NvmExpressDxe device driver (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [7/19] 9af37e4e6ad4604d5ebe67ff77cc236664590fe2
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+There is no real known use case for the NVME driver.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ----
+ OvmfPkg/AmdSev/AmdSevX64.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32.dsc | 4 ----
+ OvmfPkg/OvmfPkgIa32.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc | 4 ----
+ OvmfPkg/OvmfPkgIa32X64.fdf | 1 -
+ OvmfPkg/OvmfPkgX64.dsc | 4 ----
+ OvmfPkg/OvmfPkgX64.fdf | 1 -
+ 8 files changed, 20 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 72a5106f96..5f8ec2250d 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -739,10 +739,6 @@
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+- <PcdsFixedAtBuild>
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+- }
+ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index 2e1a2911e3..5d3eb97f02 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -245,7 +245,6 @@ INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+ INF OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ INF MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ INF MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+-INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
+ INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index bb72780e3e..44ed88ebbf 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -833,10 +833,6 @@
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+- <PcdsFixedAtBuild>
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+- }
+ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index e546622732..a82701e7e1 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -265,7 +265,6 @@ INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+ INF OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ INF MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ INF MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+-INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
+ INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 12fe15539c..d6ae83d7fc 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -847,10 +847,6 @@
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+- <PcdsFixedAtBuild>
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+- }
+ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index d709186a69..22f077dddd 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -266,7 +266,6 @@ INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+ INF OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ INF MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ INF MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+-INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
+ INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 11b4bafe83..fb6a0123ea 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -845,10 +845,6 @@
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
+- <PcdsFixedAtBuild>
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+- }
+ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 86a310dd49..79fee2afbf 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -278,7 +278,6 @@ INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+ INF OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ INF MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ INF MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+-INF MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
+ INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-Remove-PrintDxe-RHEL-only.patch b/SOURCES/edk2-OvmfPkg-Remove-PrintDxe-RHEL-only.patch
new file mode 100644
index 0000000..251f5c8
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-Remove-PrintDxe-RHEL-only.patch
@@ -0,0 +1,129 @@
+From fcc9ea03ba79d36ac4af6342f22bfbc93d0e5f2c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:28:43 +0200
+Subject: [PATCH 01/19] OvmfPkg: Remove PrintDxe (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [1/19] 84921eec8867fc1986401a301700baf31ba66293
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+The Print service driver is not used by OVMF, remove it.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 1 -
+ OvmfPkg/AmdSev/AmdSevX64.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32.dsc | 1 -
+ OvmfPkg/OvmfPkgIa32.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc | 1 -
+ OvmfPkg/OvmfPkgIa32X64.fdf | 1 -
+ OvmfPkg/OvmfPkgX64.dsc | 1 -
+ OvmfPkg/OvmfPkgX64.fdf | 1 -
+ 8 files changed, 8 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index fb00b12f8c..0ee34ac576 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -729,7 +729,6 @@
+ DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
+ PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
+ }
+- MdeModulePkg/Universal/PrintDxe/PrintDxe.inf
+ MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf
+ MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index fa5e484e63..ee66b3d905 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -237,7 +237,6 @@ INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
+ INF MdeModulePkg/Application/UiApp/UiApp.inf
+ INF OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+ INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
+-INF MdeModulePkg/Universal/PrintDxe/PrintDxe.inf
+ INF MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf
+ INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+ INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 119267e3c8..76591cff94 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -822,7 +822,6 @@
+ DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
+ PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
+ }
+- MdeModulePkg/Universal/PrintDxe/PrintDxe.inf
+ MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf
+ MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 969524cf3b..8c2256345c 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -257,7 +257,6 @@ INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
+ INF MdeModulePkg/Application/UiApp/UiApp.inf
+ INF OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+ INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
+-INF MdeModulePkg/Universal/PrintDxe/PrintDxe.inf
+ INF MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf
+ INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+ INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 166c9f1fef..14eb12dd5e 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -836,7 +836,6 @@
+ DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
+ PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
+ }
+- MdeModulePkg/Universal/PrintDxe/PrintDxe.inf
+ MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf
+ MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 36f078556f..e122f1c0d8 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -258,7 +258,6 @@ INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
+ INF MdeModulePkg/Application/UiApp/UiApp.inf
+ INF OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+ INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
+-INF MdeModulePkg/Universal/PrintDxe/PrintDxe.inf
+ INF MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf
+ INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+ INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 19d0944a72..48861db4dc 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -834,7 +834,6 @@
+ DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
+ PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
+ }
+- MdeModulePkg/Universal/PrintDxe/PrintDxe.inf
+ MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf
+ MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index a5900d8377..0aef17a708 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -270,7 +270,6 @@ INF MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
+ INF MdeModulePkg/Application/UiApp/UiApp.inf
+ INF OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+ INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
+-INF MdeModulePkg/Universal/PrintDxe/PrintDxe.inf
+ INF MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf
+ INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+ INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-Remove-QemuRamfbDxe-display-device-driver-RH.patch b/SOURCES/edk2-OvmfPkg-Remove-QemuRamfbDxe-display-device-driver-RH.patch
new file mode 100644
index 0000000..9e437e4
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-Remove-QemuRamfbDxe-display-device-driver-RH.patch
@@ -0,0 +1,142 @@
+From 3ff50d45d2d9da7f7b995e261f6f7750706197ea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 2 Jul 2021 20:15:40 +0200
+Subject: [PATCH 05/19] OvmfPkg: Remove QemuRamfbDxe display device driver
+ (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [5/19] 657c6d4406600a34ad57cd0f93018716d73f2cd1
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+The ramfb display device driver is not needed for RHEL.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ----
+ OvmfPkg/AmdSev/AmdSevX64.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32.dsc | 4 ----
+ OvmfPkg/OvmfPkgIa32.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc | 4 ----
+ OvmfPkg/OvmfPkgIa32X64.fdf | 1 -
+ OvmfPkg/OvmfPkgX64.dsc | 4 ----
+ OvmfPkg/OvmfPkgX64.fdf | 1 -
+ 8 files changed, 20 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 8966b90cb5..72a5106f96 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -752,10 +752,6 @@
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+- <PcdsFixedAtBuild>
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+- }
+
+ #
+ # ISA Support
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index 5f980d5f98..2e1a2911e3 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -291,7 +291,6 @@ INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+
+ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+
+-INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+ INF OvmfPkg/PlatformDxe/Platform.inf
+ INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+ INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 2ba90ddf8b..bb72780e3e 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -848,10 +848,6 @@
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+ !endif
+- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+- <PcdsFixedAtBuild>
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+- }
+
+ #
+ # ISA Support
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index e70508ecfc..e546622732 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -326,7 +326,6 @@ INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf
+ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+ !endif
+
+-INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+ INF OvmfPkg/PlatformDxe/Platform.inf
+ INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 5f22848972..12fe15539c 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -862,10 +862,6 @@
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+ !endif
+- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+- <PcdsFixedAtBuild>
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+- }
+
+ #
+ # ISA Support
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 237271e50b..d709186a69 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -332,7 +332,6 @@ INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf
+ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+ !endif
+
+-INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+ INF OvmfPkg/PlatformDxe/Platform.inf
+ INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+ INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 5377a8a2f3..11b4bafe83 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -860,10 +860,6 @@
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+ !endif
+- OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
+- <PcdsFixedAtBuild>
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+- }
+
+ #
+ # ISA Support
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index f8611f5c07..86a310dd49 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -344,7 +344,6 @@ INF RuleOverride=CSM OvmfPkg/Csm/Csm16/Csm16.inf
+ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+ !endif
+
+-INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+ INF OvmfPkg/PlatformDxe/Platform.inf
+ INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+ INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch b/SOURCES/edk2-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch
new file mode 100644
index 0000000..ba111ec
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch
@@ -0,0 +1,113 @@
+From 08daf5b41ee0926d5e3ed40b6dad24166fac95ee Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:25 +0200
+Subject: [PATCH 13/19] OvmfPkg: Remove TftpDynamicCommand from shell (RHEL
+ only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [13/19] cf9ef346386ac89fa05b29d429d8d1b27cf0e3b0
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the command to download files in the shell via TFTP.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/OvmfPkgIa32.dsc | 4 ----
+ OvmfPkg/OvmfPkgIa32.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc | 4 ----
+ OvmfPkg/OvmfPkgIa32X64.fdf | 1 -
+ OvmfPkg/OvmfPkgX64.dsc | 4 ----
+ OvmfPkg/OvmfPkgX64.fdf | 1 -
+ 6 files changed, 15 deletions(-)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 4b30b0e461..caa335bed5 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -907,10 +907,6 @@
+ !endif
+
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf {
+- <PcdsFixedAtBuild>
+- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+- }
+ ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
+ <PcdsFixedAtBuild>
+ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 8e21668044..a6d0645c3f 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -290,7 +290,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+-INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+ INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index faff80d56b..52cc9edffc 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -921,10 +921,6 @@
+ !endif
+
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf {
+- <PcdsFixedAtBuild>
+- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+- }
+ ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
+ <PcdsFixedAtBuild>
+ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 40f68b0425..3fa5273f89 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -291,7 +291,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+-INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+ INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 6bfe64e892..6e1d5409e3 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -919,10 +919,6 @@
+ !endif
+
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+- ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf {
+- <PcdsFixedAtBuild>
+- gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+- }
+ ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
+ <PcdsFixedAtBuild>
+ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index b127f225bb..1e332d2a73 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -303,7 +303,6 @@ INF FatPkg/EnhancedFatDxe/Fat.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+-INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+ INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch b/SOURCES/edk2-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch
new file mode 100644
index 0000000..e056a2a
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch
@@ -0,0 +1,129 @@
+From 08f3358aad5bcc436dcca31bed871aff2cc94703 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:19 +0200
+Subject: [PATCH 11/19] OvmfPkg: Remove UdfDxe filesystem driver (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [11/19] 21614de37221fca27d4eec0f03c5c8bce5911af3
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the UDF driver.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 1 -
+ OvmfPkg/AmdSev/AmdSevX64.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32.dsc | 1 -
+ OvmfPkg/OvmfPkgIa32.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc | 1 -
+ OvmfPkg/OvmfPkgIa32X64.fdf | 1 -
+ OvmfPkg/OvmfPkgX64.dsc | 1 -
+ OvmfPkg/OvmfPkgX64.fdf | 1 -
+ 8 files changed, 8 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 5f8ec2250d..a54a4e39e2 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -733,7 +733,6 @@
+ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+ FatPkg/EnhancedFatDxe/Fat.inf
+- MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index 5d3eb97f02..89e35c5b19 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -265,7 +265,6 @@ INF RuleOverride=ACPITABLE OvmfPkg/AcpiTables/AcpiTables.inf
+ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+
+ INF FatPkg/EnhancedFatDxe/Fat.inf
+-INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+
+ !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
+ INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 356f824525..4b30b0e461 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -826,7 +826,6 @@
+ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+ FatPkg/EnhancedFatDxe/Fat.inf
+- MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 73012cc933..8e21668044 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -287,7 +287,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
+ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+
+ INF FatPkg/EnhancedFatDxe/Fat.inf
+-INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 0b6275e83e..faff80d56b 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -840,7 +840,6 @@
+ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+ FatPkg/EnhancedFatDxe/Fat.inf
+- MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 0553e4e1a8..40f68b0425 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -288,7 +288,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
+ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+
+ INF FatPkg/EnhancedFatDxe/Fat.inf
+-INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index c9857d58ed..6bfe64e892 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -838,7 +838,6 @@
+ MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+ FatPkg/EnhancedFatDxe/Fat.inf
+- MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 1e471581d2..b127f225bb 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -300,7 +300,6 @@ INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
+ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+
+ INF FatPkg/EnhancedFatDxe/Fat.inf
+-INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch b/SOURCES/edk2-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch
new file mode 100644
index 0000000..9e2c5ad
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch
@@ -0,0 +1,104 @@
+From 649579b908c5d19c63a8768d47b24ad63b353b49 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:13 +0200
+Subject: [PATCH 09/19] OvmfPkg: Remove VirtioFsDxe filesystem driver (RHEL
+ only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [9/19] b40d8a6b9c38568a74fb922b12bbae9f0e721f95
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the virtio-fs driver.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/OvmfPkgIa32.dsc | 1 -
+ OvmfPkg/OvmfPkgIa32.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc | 1 -
+ OvmfPkg/OvmfPkgIa32X64.fdf | 1 -
+ OvmfPkg/OvmfPkgX64.dsc | 1 -
+ OvmfPkg/OvmfPkgX64.fdf | 1 -
+ 6 files changed, 6 deletions(-)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 44ed88ebbf..356f824525 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -827,7 +827,6 @@
+ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+ FatPkg/EnhancedFatDxe/Fat.inf
+ MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+- OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index a82701e7e1..73012cc933 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -288,7 +288,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+
+ INF FatPkg/EnhancedFatDxe/Fat.inf
+ INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+-INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index d6ae83d7fc..0b6275e83e 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -841,7 +841,6 @@
+ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+ FatPkg/EnhancedFatDxe/Fat.inf
+ MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+- OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 22f077dddd..0553e4e1a8 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -289,7 +289,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+
+ INF FatPkg/EnhancedFatDxe/Fat.inf
+ INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+-INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index fb6a0123ea..c9857d58ed 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -839,7 +839,6 @@
+ MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+ FatPkg/EnhancedFatDxe/Fat.inf
+ MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+- OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+ MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 79fee2afbf..1e471581d2 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -301,7 +301,6 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+
+ INF FatPkg/EnhancedFatDxe/Fat.inf
+ INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+-INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+
+ !ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch b/SOURCES/edk2-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch
new file mode 100644
index 0000000..632a078
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch
@@ -0,0 +1,129 @@
+From c24e195227b350825389473db9b9ee8556148958 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:28:59 +0200
+Subject: [PATCH 04/19] OvmfPkg: Remove VirtioGpu device driver (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [4/19] f0a41317291f2e9e3b5bd3125149c3866f23ab08
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+QemuVideoDxe binds virtio-vga, so VirtioGpu is not needed.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 1 -
+ OvmfPkg/AmdSev/AmdSevX64.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32.dsc | 1 -
+ OvmfPkg/OvmfPkgIa32.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc | 1 -
+ OvmfPkg/OvmfPkgIa32X64.fdf | 1 -
+ OvmfPkg/OvmfPkgX64.dsc | 1 -
+ OvmfPkg/OvmfPkgX64.fdf | 1 -
+ 8 files changed, 8 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 7ca368f667..8966b90cb5 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -756,7 +756,6 @@
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+- OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+
+ #
+ # ISA Support
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index 8af26d3989..5f980d5f98 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -292,7 +292,6 @@ INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+
+ INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+-INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ INF OvmfPkg/PlatformDxe/Platform.inf
+ INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+ INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 634a4aa73d..2ba90ddf8b 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -852,7 +852,6 @@
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+- OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+
+ #
+ # ISA Support
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 4e36026061..e70508ecfc 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -327,7 +327,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+ !endif
+
+ INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+-INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ INF OvmfPkg/PlatformDxe/Platform.inf
+ INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index c3ce34870e..5f22848972 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -866,7 +866,6 @@
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+- OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+
+ #
+ # ISA Support
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 97e24ab104..237271e50b 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -333,7 +333,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+ !endif
+
+ INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+-INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ INF OvmfPkg/PlatformDxe/Platform.inf
+ INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+ INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 36d9b0943b..5377a8a2f3 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -864,7 +864,6 @@
+ <PcdsFixedAtBuild>
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+ }
+- OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+
+ #
+ # ISA Support
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 6d66e4d07e..f8611f5c07 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -345,7 +345,6 @@ INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+ !endif
+
+ INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+-INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ INF OvmfPkg/PlatformDxe/Platform.inf
+ INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+ INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-Remove-Xen-Drivers-RHEL-only.patch b/SOURCES/edk2-OvmfPkg-Remove-Xen-Drivers-RHEL-only.patch
new file mode 100644
index 0000000..96dfa02
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-Remove-Xen-Drivers-RHEL-only.patch
@@ -0,0 +1,146 @@
+From 8dbcd6ed425ce30a5c948e0c9c9fb46e146dfbf1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 2 Jul 2021 20:24:51 +0200
+Subject: [PATCH 19/19] OvmfPkg: Remove Xen Drivers (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [19/19] 0414f7a12583c3290f3fde942098123c2be6d8c4
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the XenIoPciDxe, XenBusDxe, XenPvBlkDxe drivers since Xen is
+not supported in RHEL.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 3 ---
+ OvmfPkg/AmdSev/AmdSevX64.fdf | 3 ---
+ OvmfPkg/OvmfPkgIa32.dsc | 3 ---
+ OvmfPkg/OvmfPkgIa32.fdf | 3 ---
+ OvmfPkg/OvmfPkgIa32X64.dsc | 3 ---
+ OvmfPkg/OvmfPkgIa32X64.fdf | 3 ---
+ OvmfPkg/OvmfPkgX64.dsc | 3 ---
+ OvmfPkg/OvmfPkgX64.fdf | 3 ---
+ 8 files changed, 24 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 485c60dd36..2e103d5e6c 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -701,9 +701,6 @@
+ OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+ OvmfPkg/VirtioRngDxe/VirtioRng.inf
+- OvmfPkg/XenIoPciDxe/XenIoPciDxe.inf
+- OvmfPkg/XenBusDxe/XenBusDxe.inf
+- OvmfPkg/XenPvBlkDxe/XenPvBlkDxe.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index 1cf4d659d1..0ba41279e8 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -211,9 +211,6 @@ INF OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+ INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
+-INF OvmfPkg/XenIoPciDxe/XenIoPciDxe.inf
+-INF OvmfPkg/XenBusDxe/XenBusDxe.inf
+-INF OvmfPkg/XenPvBlkDxe/XenPvBlkDxe.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index f844c5f97c..7cf7ace2b3 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -794,9 +794,6 @@
+ OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+ OvmfPkg/VirtioRngDxe/VirtioRng.inf
+- OvmfPkg/XenIoPciDxe/XenIoPciDxe.inf
+- OvmfPkg/XenBusDxe/XenBusDxe.inf
+- OvmfPkg/XenPvBlkDxe/XenPvBlkDxe.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index f4a6829085..f1b515d2ef 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -227,9 +227,6 @@ INF OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+ INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
+-INF OvmfPkg/XenIoPciDxe/XenIoPciDxe.inf
+-INF OvmfPkg/XenBusDxe/XenBusDxe.inf
+-INF OvmfPkg/XenPvBlkDxe/XenPvBlkDxe.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index b373c0d63a..4e63e9d0b1 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -808,9 +808,6 @@
+ OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+ OvmfPkg/VirtioRngDxe/VirtioRng.inf
+- OvmfPkg/XenIoPciDxe/XenIoPciDxe.inf
+- OvmfPkg/XenBusDxe/XenBusDxe.inf
+- OvmfPkg/XenPvBlkDxe/XenPvBlkDxe.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 35692403d3..88c0bc2a62 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -228,9 +228,6 @@ INF OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+ INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
+-INF OvmfPkg/XenIoPciDxe/XenIoPciDxe.inf
+-INF OvmfPkg/XenBusDxe/XenBusDxe.inf
+-INF OvmfPkg/XenPvBlkDxe/XenPvBlkDxe.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 39e8e5b3c4..0b43d1ebc7 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -806,9 +806,6 @@
+ OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+ OvmfPkg/VirtioRngDxe/VirtioRng.inf
+- OvmfPkg/XenIoPciDxe/XenIoPciDxe.inf
+- OvmfPkg/XenBusDxe/XenBusDxe.inf
+- OvmfPkg/XenPvBlkDxe/XenPvBlkDxe.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index a0c3c182f6..f578f9ffad 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -240,9 +240,6 @@ INF OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+ INF OvmfPkg/VirtioRngDxe/VirtioRng.inf
+-INF OvmfPkg/XenIoPciDxe/XenIoPciDxe.inf
+-INF OvmfPkg/XenBusDxe/XenBusDxe.inf
+-INF OvmfPkg/XenPvBlkDxe/XenPvBlkDxe.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+--
+2.27.0
+
diff --git a/SOURCES/edk2-aarch64-verbose.json b/SOURCES/edk2-aarch64-verbose.json
new file mode 100644
index 0000000..ceec878
--- /dev/null
+++ b/SOURCES/edk2-aarch64-verbose.json
@@ -0,0 +1,31 @@
+{
+ "description": "UEFI firmware for ARM64 virtual machines, verbose logs",
+ "interface-types": [
+ "uefi"
+ ],
+ "mapping": {
+ "device": "flash",
+ "executable": {
+ "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw",
+ "format": "raw"
+ },
+ "nvram-template": {
+ "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw",
+ "format": "raw"
+ }
+ },
+ "targets": [
+ {
+ "architecture": "aarch64",
+ "machines": [
+ "virt-*"
+ ]
+ }
+ ],
+ "features": [
+ "verbose-static"
+ ],
+ "tags": [
+
+ ]
+}
diff --git a/SOURCES/edk2-aarch64.json b/SOURCES/edk2-aarch64.json
new file mode 100644
index 0000000..c5a73cb
--- /dev/null
+++ b/SOURCES/edk2-aarch64.json
@@ -0,0 +1,31 @@
+{
+ "description": "UEFI firmware for ARM64 virtual machines",
+ "interface-types": [
+ "uefi"
+ ],
+ "mapping": {
+ "device": "flash",
+ "executable": {
+ "filename": "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw",
+ "format": "raw"
+ },
+ "nvram-template": {
+ "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw",
+ "format": "raw"
+ }
+ },
+ "targets": [
+ {
+ "architecture": "aarch64",
+ "machines": [
+ "virt-*"
+ ]
+ }
+ ],
+ "features": [
+
+ ],
+ "tags": [
+
+ ]
+}
diff --git a/SOURCES/edk2-ovmf-cc.json b/SOURCES/edk2-ovmf-cc.json
new file mode 100644
index 0000000..2e52745
--- /dev/null
+++ b/SOURCES/edk2-ovmf-cc.json
@@ -0,0 +1,33 @@
+{
+ "description": "OVMF with SEV-ES support",
+ "interface-types": [
+ "uefi"
+ ],
+ "mapping": {
+ "device": "flash",
+ "executable": {
+ "filename": "/usr/share/edk2/ovmf/OVMF_CODE.cc.fd",
+ "format": "raw"
+ },
+ "nvram-template": {
+ "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd",
+ "format": "raw"
+ }
+ },
+ "targets": [
+ {
+ "architecture": "x86_64",
+ "machines": [
+ "pc-q35-rhel8.5.0"
+ ]
+ }
+ ],
+ "features": [
+ "amd-sev",
+ "amd-sev-es",
+ "verbose-dynamic"
+ ],
+ "tags": [
+
+ ]
+}
diff --git a/SOURCES/edk2-ovmf-sb.json b/SOURCES/edk2-ovmf-sb.json
new file mode 100644
index 0000000..a0203e8
--- /dev/null
+++ b/SOURCES/edk2-ovmf-sb.json
@@ -0,0 +1,36 @@
+{
+ "description": "OVMF with SB+SMM, SB enabled, MS certs enrolled",
+ "interface-types": [
+ "uefi"
+ ],
+ "mapping": {
+ "device": "flash",
+ "executable": {
+ "filename": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd",
+ "format": "raw"
+ },
+ "nvram-template": {
+ "filename": "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd",
+ "format": "raw"
+ }
+ },
+ "targets": [
+ {
+ "architecture": "x86_64",
+ "machines": [
+ "pc-q35-*"
+ ]
+ }
+ ],
+ "features": [
+ "acpi-s3",
+ "amd-sev",
+ "enrolled-keys",
+ "requires-smm",
+ "secure-boot",
+ "verbose-dynamic"
+ ],
+ "tags": [
+
+ ]
+}
diff --git a/SOURCES/edk2-ovmf.json b/SOURCES/edk2-ovmf.json
new file mode 100644
index 0000000..74d00e3
--- /dev/null
+++ b/SOURCES/edk2-ovmf.json
@@ -0,0 +1,35 @@
+{
+ "description": "OVMF with SB+SMM, empty varstore",
+ "interface-types": [
+ "uefi"
+ ],
+ "mapping": {
+ "device": "flash",
+ "executable": {
+ "filename": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd",
+ "format": "raw"
+ },
+ "nvram-template": {
+ "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd",
+ "format": "raw"
+ }
+ },
+ "targets": [
+ {
+ "architecture": "x86_64",
+ "machines": [
+ "pc-q35-*"
+ ]
+ }
+ ],
+ "features": [
+ "acpi-s3",
+ "amd-sev",
+ "requires-smm",
+ "secure-boot",
+ "verbose-dynamic"
+ ],
+ "tags": [
+
+ ]
+}
diff --git a/SOURCES/ovmf-vars-generator b/SOURCES/ovmf-vars-generator
new file mode 100755
index 0000000..111e438
--- /dev/null
+++ b/SOURCES/ovmf-vars-generator
@@ -0,0 +1,295 @@
+#!/bin/python3
+# Copyright (C) 2017 Red Hat
+# Authors:
+# - Patrick Uiterwijk <puiterwijk@redhat.com>
+# - Kashyap Chamarthy <kchamart@redhat.com>
+#
+# Licensed under MIT License, for full text see LICENSE
+#
+# Purpose: Launch a QEMU guest and enroll ithe UEFI keys into an OVMF
+# variables ("VARS") file. Then boot a Linux kernel with QEMU.
+# Finally, perform a check to verify if Secure Boot
+# is enabled.
+
+from __future__ import print_function
+
+import argparse
+import os
+import logging
+import tempfile
+import shutil
+import string
+import subprocess
+
+
+def strip_special(line):
+ return ''.join([c for c in str(line) if c in string.printable])
+
+
+def generate_qemu_cmd(args, readonly, *extra_args):
+ if args.disable_smm:
+ machinetype = 'pc'
+ else:
+ machinetype = 'q35,smm=on'
+ machinetype += ',accel=%s' % ('kvm' if args.enable_kvm else 'tcg')
+
+ if args.oem_string is None:
+ oemstrings = []
+ else:
+ oemstring_values = [
+ ",value=" + s.replace(",", ",,") for s in args.oem_string ]
+ oemstrings = [
+ '-smbios',
+ "type=11" + ''.join(oemstring_values) ]
+
+ return [
+ args.qemu_binary,
+ '-machine', machinetype,
+ '-display', 'none',
+ '-no-user-config',
+ '-nodefaults',
+ '-m', '768',
+ '-smp', '2,sockets=2,cores=1,threads=1',
+ '-chardev', 'pty,id=charserial1',
+ '-device', 'isa-serial,chardev=charserial1,id=serial1',
+ '-global', 'driver=cfi.pflash01,property=secure,value=%s' % (
+ 'off' if args.disable_smm else 'on'),
+ '-drive',
+ 'file=%s,if=pflash,format=raw,unit=0,readonly=on' % (
+ args.ovmf_binary),
+ '-drive',
+ 'file=%s,if=pflash,format=raw,unit=1,readonly=%s' % (
+ args.out_temp, 'on' if readonly else 'off'),
+ '-serial', 'stdio'] + oemstrings + list(extra_args)
+
+
+def download(url, target, suffix, no_download):
+ istemp = False
+ if target and os.path.exists(target):
+ return target, istemp
+ if not target:
+ temped = tempfile.mkstemp(prefix='qosb.', suffix='.%s' % suffix)
+ os.close(temped[0])
+ target = temped[1]
+ istemp = True
+ if no_download:
+ raise Exception('%s did not exist, but downloading was disabled' %
+ target)
+ import requests
+ logging.debug('Downloading %s to %s', url, target)
+ r = requests.get(url, stream=True)
+ with open(target, 'wb') as f:
+ for chunk in r.iter_content(chunk_size=1024):
+ if chunk:
+ f.write(chunk)
+ return target, istemp
+
+
+def enroll_keys(args):
+ shutil.copy(args.ovmf_template_vars, args.out_temp)
+
+ logging.info('Starting enrollment')
+
+ cmd = generate_qemu_cmd(
+ args,
+ False,
+ '-drive',
+ 'file=%s,format=raw,if=none,media=cdrom,id=drive-cd1,'
+ 'readonly=on' % args.uefi_shell_iso,
+ '-device',
+ 'ide-cd,drive=drive-cd1,id=cd1,'
+ 'bootindex=1')
+ p = subprocess.Popen(cmd,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.STDOUT)
+ logging.info('Performing enrollment')
+ # Wait until the UEFI shell starts (first line is printed)
+ read = p.stdout.readline()
+ if b'char device redirected' in read:
+ read = p.stdout.readline()
+ # Skip passed QEMU warnings, like the following one we see in Ubuntu:
+ # qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.01H:ECX.vmx [bit 5]
+ while b'qemu-system-x86_64: warning:' in read:
+ read = p.stdout.readline()
+ if args.print_output:
+ print(strip_special(read), end='')
+ print()
+ # Send the escape char to enter the UEFI shell early
+ p.stdin.write(b'\x1b')
+ p.stdin.flush()
+ # And then run the following three commands from the UEFI shell:
+ # change into the first file system device; install the default
+ # keys and certificates, and reboot
+ p.stdin.write(b'fs0:\r\n')
+ p.stdin.write(b'EnrollDefaultKeys.efi\r\n')
+ p.stdin.write(b'reset -s\r\n')
+ p.stdin.flush()
+ while True:
+ read = p.stdout.readline()
+ if args.print_output:
+ print('OUT: %s' % strip_special(read), end='')
+ print()
+ if b'info: success' in read:
+ break
+ p.wait()
+ if args.print_output:
+ print(strip_special(p.stdout.read()), end='')
+ logging.info('Finished enrollment')
+
+
+def test_keys(args):
+ logging.info('Grabbing test kernel')
+ kernel, kerneltemp = download(args.kernel_url, args.kernel_path,
+ 'kernel', args.no_download)
+
+ logging.info('Starting verification')
+ try:
+ cmd = generate_qemu_cmd(
+ args,
+ True,
+ '-append', 'console=tty0 console=ttyS0,115200n8',
+ '-kernel', kernel)
+ p = subprocess.Popen(cmd,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.STDOUT)
+ logging.info('Performing verification')
+ while True:
+ read = p.stdout.readline()
+ if args.print_output:
+ print('OUT: %s' % strip_special(read), end='')
+ print()
+ if b'Secure boot disabled' in read:
+ raise Exception('Secure Boot was disabled')
+ elif b'Secure boot enabled' in read:
+ logging.info('Confirmed: Secure Boot is enabled')
+ break
+ elif b'Kernel is locked down from EFI secure boot' in read:
+ logging.info('Confirmed: Secure Boot is enabled')
+ break
+ p.kill()
+ if args.print_output:
+ print(strip_special(p.stdout.read()), end='')
+ logging.info('Finished verification')
+ finally:
+ if kerneltemp:
+ os.remove(kernel)
+
+
+def parse_args():
+ parser = argparse.ArgumentParser()
+ parser.add_argument('output', help='Filename for output vars file')
+ parser.add_argument('--out-temp', help=argparse.SUPPRESS)
+ parser.add_argument('--force', help='Overwrite existing output file',
+ action='store_true')
+ parser.add_argument('--print-output', help='Print the QEMU guest output',
+ action='store_true')
+ parser.add_argument('--verbose', '-v', help='Increase verbosity',
+ action='count')
+ parser.add_argument('--quiet', '-q', help='Decrease verbosity',
+ action='count')
+ parser.add_argument('--qemu-binary', help='QEMU binary path',
+ default='/usr/bin/qemu-system-x86_64')
+ parser.add_argument('--enable-kvm', help='Enable KVM acceleration',
+ action='store_true')
+ parser.add_argument('--ovmf-binary', help='OVMF secureboot code file',
+ default='/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd')
+ parser.add_argument('--ovmf-template-vars', help='OVMF empty vars file',
+ default='/usr/share/edk2/ovmf/OVMF_VARS.fd')
+ parser.add_argument('--uefi-shell-iso', help='Path to uefi shell iso',
+ default='/usr/share/edk2/ovmf/UefiShell.iso')
+ parser.add_argument('--skip-enrollment',
+ help='Skip enrollment, only test', action='store_true')
+ parser.add_argument('--skip-testing',
+ help='Skip testing generated "VARS" file',
+ action='store_true')
+ parser.add_argument('--kernel-path',
+ help='Specify a consistent path for kernel')
+ parser.add_argument('--no-download', action='store_true',
+ help='Never download a kernel')
+ parser.add_argument('--fedora-version',
+ help='Fedora version to get kernel for checking',
+ default='27')
+ parser.add_argument('--kernel-url', help='Kernel URL',
+ default='https://download.fedoraproject.org/pub/fedora'
+ '/linux/releases/%(version)s/Everything/x86_64'
+ '/os/images/pxeboot/vmlinuz')
+ parser.add_argument('--disable-smm',
+ help=('Don\'t restrict varstore pflash writes to '
+ 'guest code that executes in SMM. Use this '
+ 'option only if your OVMF binary doesn\'t have '
+ 'the edk2 SMM driver stack built into it '
+ '(possibly because your QEMU binary lacks SMM '
+ 'emulation). Note that without restricting '
+ 'varstore pflash writes to guest code that '
+ 'executes in SMM, a malicious guest kernel, '
+ 'used for testing, could undermine Secure '
+ 'Boot.'),
+ action='store_true')
+ parser.add_argument('--oem-string',
+ help=('Pass the argument to the guest as a string in '
+ 'the SMBIOS Type 11 (OEM Strings) table. '
+ 'Multiple occurrences of this option are '
+ 'collected into a single SMBIOS Type 11 table. '
+ 'A pure ASCII string argument is strongly '
+ 'suggested.'),
+ action='append')
+ args = parser.parse_args()
+ args.kernel_url = args.kernel_url % {'version': args.fedora_version}
+
+ validate_args(args)
+ return args
+
+
+def validate_args(args):
+ if (os.path.exists(args.output)
+ and not args.force
+ and not args.skip_enrollment):
+ raise Exception('%s already exists' % args.output)
+
+ if args.skip_enrollment and not os.path.exists(args.output):
+ raise Exception('%s does not yet exist' % args.output)
+
+ verbosity = (args.verbose or 1) - (args.quiet or 0)
+ if verbosity >= 2:
+ logging.basicConfig(level=logging.DEBUG)
+ elif verbosity == 1:
+ logging.basicConfig(level=logging.INFO)
+ elif verbosity < 0:
+ logging.basicConfig(level=logging.ERROR)
+ else:
+ logging.basicConfig(level=logging.WARN)
+
+ if args.skip_enrollment:
+ args.out_temp = args.output
+ else:
+ temped = tempfile.mkstemp(prefix='qosb.', suffix='.vars')
+ os.close(temped[0])
+ args.out_temp = temped[1]
+ logging.debug('Temp output: %s', args.out_temp)
+
+
+def move_to_dest(args):
+ shutil.copy(args.out_temp, args.output)
+ os.remove(args.out_temp)
+
+
+def main():
+ args = parse_args()
+ if not args.skip_enrollment:
+ enroll_keys(args)
+ if not args.skip_testing:
+ test_keys(args)
+ if not args.skip_enrollment:
+ move_to_dest(args)
+ if args.skip_testing:
+ logging.info('Created %s' % args.output)
+ else:
+ logging.info('Created and verified %s' % args.output)
+ else:
+ logging.info('Verified %s', args.output)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/SOURCES/ovmf-whitepaper-c770f8c.txt b/SOURCES/ovmf-whitepaper-c770f8c.txt
new file mode 100644
index 0000000..ba727b4
--- /dev/null
+++ b/SOURCES/ovmf-whitepaper-c770f8c.txt
@@ -0,0 +1,2422 @@
+Open Virtual Machine Firmware (OVMF) Status Report
+July 2014 (with updates in August 2014 - January 2015)
+
+Author: Laszlo Ersek <lersek@redhat.com>
+Copyright (C) 2014-2015, Red Hat, Inc.
+CC BY-SA 4.0 <http://creativecommons.org/licenses/by-sa/4.0/>
+
+Abstract
+--------
+
+The Unified Extensible Firmware Interface (UEFI) is a specification that
+defines a software interface between an operating system and platform firmware.
+UEFI is designed to replace the Basic Input/Output System (BIOS) firmware
+interface.
+
+Hardware platform vendors have been increasingly adopting the UEFI
+Specification to govern their boot firmware developments. OVMF (Open Virtual
+Machine Firmware), a sub-project of Intel's EFI Development Kit II (edk2),
+enables UEFI support for Ia32 and X64 Virtual Machines.
+
+This paper reports on the status of the OVMF project, treats features and
+limitations, gives end-user hints, and examines some areas in-depth.
+
+Keywords: ACPI, boot options, CSM, edk2, firmware, flash, fw_cfg, KVM, memory
+map, non-volatile variables, OVMF, PCD, QEMU, reset vector, S3, Secure Boot,
+Smbios, SMM, TianoCore, UEFI, VBE shim, Virtio
+
+Table of Contents
+-----------------
+
+- Motivation
+- Scope
+- Example qemu invocation
+- Installation of OVMF guests with virt-manager and virt-install
+- Supported guest operating systems
+- Compatibility Support Module (CSM)
+- Phases of the boot process
+- Project structure
+- Platform Configuration Database (PCD)
+- Firmware image structure
+- S3 (suspend to RAM and resume)
+- A comprehensive memory map of OVMF
+- Known Secure Boot limitations
+- Variable store and LockBox in SMRAM
+- Select features
+ - X64-specific reset vector for OVMF
+ - Client library for QEMU's firmware configuration interface
+ - Guest ACPI tables
+ - Guest SMBIOS tables
+ - Platform-specific boot policy
+ - Virtio drivers
+ - Platform Driver
+ - Video driver
+- Afterword
+
+Motivation
+----------
+
+OVMF extends the usual benefits of virtualization to UEFI. Reasons to use OVMF
+include:
+
+- Legacy-free guests. A UEFI-based environment eliminates dependencies on
+ legacy address spaces and devices. This is especially beneficial when used
+ with physically assigned devices where the legacy operating mode is
+ troublesome to support, ex. assigned graphics cards operating in legacy-free,
+ non-VGA mode in the guest.
+
+- Future proof guests. The x86 market is steadily moving towards a legacy-free
+ platform and guest operating systems may eventually require a UEFI
+ environment. OVMF provides that next generation firmware support for such
+ applications.
+
+- GUID partition tables (GPTs). MBR partition tables represent partition
+ offsets and sizes with 32-bit integers, in units of 512 byte sectors. This
+ limits the addressable portion of the disk to 2 TB. GPT represents logical
+ block addresses with 64 bits.
+
+- Liberating boot loader binaries from residing in contested and poorly defined
+ space between the partition table and the partitions.
+
+- Support for booting off disks (eg. pass-through physical SCSI devices) with a
+ 4kB physical and logical sector size, i.e. which don't have 512-byte block
+ emulation.
+
+- Development and testing of Secure Boot-related features in guest operating
+ systems. Although OVMF's Secure Boot implementation is currently not secure
+ against malicious UEFI drivers, UEFI applications, and guest kernels,
+ trusted guest code that only uses standard UEFI interfaces will find a valid
+ Secure Boot environment under OVMF, with working key enrollment and signature
+ validation. This enables development and testing of portable, Secure
+ Boot-related guest code.
+
+- Presence of non-volatile UEFI variables. This furthers development and
+ testing of OS installers, UEFI boot loaders, and unique, dependent guest OS
+ features. For example, an efivars-backed pstore (persistent storage)
+ file system works under Linux.
+
+- Altogether, a near production-level UEFI environment for virtual machines
+ when Secure Boot is not required.
+
+Scope
+-----
+
+UEFI and especially Secure Boot have been topics fraught with controversy and
+political activism. This paper sidesteps these aspects and strives to focus on
+use cases, hands-on information for end users, and technical details.
+
+Unless stated otherwise, the expression "X supports Y" means "X is technically
+compatible with interfaces provided or required by Y". It does not imply
+support as an activity performed by natural persons or companies.
+
+We discuss the status of OVMF at a state no earlier than edk2 SVN revision
+16158. The paper concentrates on upstream projects and communities, but
+occasionally it pans out about OVMF as it is planned to be shipped (as
+Technical Preview) in Red Hat Enterprise Linux 7.1. Such digressions are marked
+with the [RHEL] margin notation.
+
+Although other VMMs and accelerators are known to support (or plan to support)
+OVMF to various degrees -- for example, VirtualBox, Xen, BHyVe --, we'll
+emphasize OVMF on qemu/KVM, because QEMU and KVM have always been Red Hat's
+focus wrt. OVMF.
+
+The recommended upstream QEMU version is 2.1+. The recommended host Linux
+kernel (KVM) version is 3.10+. The recommended QEMU machine type is
+"qemu-system-x86_64 -M pc-i440fx-2.1" or later.
+
+The term "TianoCore" is used interchangeably with "edk2" in this paper.
+
+Example qemu invocation
+-----------------------
+
+The following commands give a quick foretaste of installing a UEFI operating
+system on OVMF, relying only on upstream edk2 and qemu.
+
+- Clone and build OVMF:
+
+ git clone https://github.com/tianocore/edk2.git
+ cd edk2
+ nice OvmfPkg/build.sh -a X64 -n $(getconf _NPROCESSORS_ONLN)
+
+ (Note that this ad-hoc build will not include the Secure Boot feature.)
+
+- The build output file, "OVMF.fd", includes not only the executable firmware
+ code, but the non-volatile variable store as well. For this reason, make a
+ VM-specific copy of the build output (the variable store should be private to
+ the virtual machine):
+
+ cp Build/OvmfX64/DEBUG_GCC4?/FV/OVMF.fd fedora.flash
+
+ (The variable store and the firmware executable are also available in the
+ build output as separate files: "OVMF_VARS.fd" and "OVMF_CODE.fd". This
+ enables central management and updates of the firmware executable, while each
+ virtual machine can retain its own variable store.)
+
+- Download a Fedora LiveCD:
+
+ wget https://dl.fedoraproject.org/pub/fedora/linux/releases/20/Live/x86_64/Fedora-Live-Xfce-x86_64-20-1.iso
+
+- Create a virtual disk (qcow2 format, 20 GB in size):
+
+ qemu-img create -f qcow2 fedora.img 20G
+
+- Create the following qemu wrapper script under the name "fedora.sh":
+
+ # Basic virtual machine properties: a recent i440fx machine type, KVM
+ # acceleration, 2048 MB RAM, two VCPUs.
+ OPTS="-M pc-i440fx-2.1 -enable-kvm -m 2048 -smp 2"
+
+ # The OVMF binary, including the non-volatile variable store, appears as a
+ # "normal" qemu drive on the host side, and it is exposed to the guest as a
+ # persistent flash device.
+ OPTS="$OPTS -drive if=pflash,format=raw,file=fedora.flash"
+
+ # The hard disk is exposed to the guest as a virtio-block device. OVMF has a
+ # driver stack that supports such a disk. We specify this disk as first boot
+ # option. OVMF recognizes the boot order specification.
+ OPTS="$OPTS -drive id=disk0,if=none,format=qcow2,file=fedora.img"
+ OPTS="$OPTS -device virtio-blk-pci,drive=disk0,bootindex=0"
+
+ # The Fedora installer disk appears as an IDE CD-ROM in the guest. This is
+ # the 2nd boot option.
+ OPTS="$OPTS -drive id=cd0,if=none,format=raw,readonly"
+ OPTS="$OPTS,file=Fedora-Live-Xfce-x86_64-20-1.iso"
+ OPTS="$OPTS -device ide-cd,bus=ide.1,drive=cd0,bootindex=1"
+
+ # The following setting enables S3 (suspend to RAM). OVMF supports S3
+ # suspend/resume.
+ OPTS="$OPTS -global PIIX4_PM.disable_s3=0"
+
+ # OVMF emits a number of info / debug messages to the QEMU debug console, at
+ # ioport 0x402. We configure qemu so that the debug console is indeed
+ # available at that ioport. We redirect the host side of the debug console to
+ # a file.
+ OPTS="$OPTS -global isa-debugcon.iobase=0x402 -debugcon file:fedora.ovmf.log"
+
+ # QEMU accepts various commands and queries from the user on the monitor
+ # interface. Connect the monitor with the qemu process's standard input and
+ # output.
+ OPTS="$OPTS -monitor stdio"
+
+ # A USB tablet device in the guest allows for accurate pointer tracking
+ # between the host and the guest.
+ OPTS="$OPTS -device piix3-usb-uhci -device usb-tablet"
+
+ # Provide the guest with a virtual network card (virtio-net).
+ #
+ # Normally, qemu provides the guest with a UEFI-conformant network driver
+ # from the iPXE project, in the form of a PCI expansion ROM. For this test,
+ # we disable the expansion ROM and allow OVMF's built-in virtio-net driver to
+ # take effect.
+ #
+ # On the host side, we use the SLIRP ("user") network backend, which has
+ # relatively low performance, but it doesn't require extra privileges from
+ # the user executing qemu.
+ OPTS="$OPTS -netdev id=net0,type=user"
+ OPTS="$OPTS -device virtio-net-pci,netdev=net0,romfile="
+
+ # A Spice QXL GPU is recommended as the primary VGA-compatible display
+ # device. It is a full-featured virtual video card, with great operating
+ # system driver support. OVMF supports it too.
+ OPTS="$OPTS -device qxl-vga"
+
+ qemu-system-x86_64 $OPTS
+
+- Start the Fedora guest:
+
+ sh fedora.sh
+
+- The above command can be used for both installation and later boots of the
+ Fedora guest.
+
+- In order to verify basic OVMF network connectivity:
+
+ - Assuming that the non-privileged user running qemu belongs to group G
+ (where G is a numeric identifier), ensure as root on the host that the
+ group range in file "/proc/sys/net/ipv4/ping_group_range" includes G.
+
+ - As the non-privileged user, boot the guest as usual.
+
+ - On the TianoCore splash screen, press ESC.
+
+ - Navigate to Boot Manager | EFI Internal Shell
+
+ - In the UEFI Shell, issue the following commands:
+
+ ifconfig -s eth0 dhcp
+ ping A.B.C.D
+
+ where A.B.C.D is a public IPv4 address in dotted decimal notation that your
+ host can reach.
+
+ - Type "quit" at the (qemu) monitor prompt.
+
+Installation of OVMF guests with virt-manager and virt-install
+--------------------------------------------------------------
+
+(1) Assuming OVMF has been installed on the host with the following files:
+ - /usr/share/OVMF/OVMF_CODE.fd
+ - /usr/share/OVMF/OVMF_VARS.fd
+
+ locate the "nvram" stanza in "/etc/libvirt/qemu.conf", and edit it as
+ follows:
+
+ nvram = [ "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd" ]
+
+(2) Restart libvirtd with your Linux distribution's service management tool;
+ for example,
+
+ systemctl restart libvirtd
+
+(3) In virt-manager, proceed with the guest installation as usual:
+ - select File | New Virtual Machine,
+ - advance to Step 5 of 5,
+ - in Step 5, check "Customize configuration before install",
+ - click Finish;
+ - in the customization dialog, select Overview | Firmware, and choose UEFI,
+ - click Apply and Begin Installation.
+
+(4) With virt-install:
+
+ LDR="loader=/usr/share/OVMF/OVMF_CODE.fd,loader_ro=yes,loader_type=pflash"
+ virt-install \
+ --name fedora20 \
+ --memory 2048 \
+ --vcpus 2 \
+ --os-variant fedora20 \
+ --boot hd,cdrom,$LDR \
+ --disk size=20 \
+ --disk path=Fedora-Live-Xfce-x86_64-20-1.iso,device=cdrom,bus=scsi
+
+(5) A popular, distribution-independent, bleeding-edge OVMF package is
+ available under <https://www.kraxel.org/repos/>, courtesy of Gerd Hoffmann.
+
+ The "edk2.git-ovmf-x64" package provides the following files, among others:
+ - /usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd
+ - /usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd
+
+ When using this package, adapt steps (1) and (4) accordingly.
+
+(6) Additionally, the "edk2.git-ovmf-x64" package seeks to simplify the
+ enablement of Secure Boot in a virtual machine (strictly for development
+ and testing purposes).
+
+ - Boot the virtual machine off the CD-ROM image called
+ "/usr/share/edk2.git/ovmf-x64/UefiShell.iso"; before or after installing
+ the main guest operating system.
+
+ - When the UEFI shell appears, issue the following commands:
+
+ EnrollDefaultKeys.efi
+ reset -s
+
+ - The EnrollDefaultKeys.efi utility enrolls the following keys:
+
+ - A static example X.509 certificate (CN=TestCommonName) as Platform Key
+ and first Key Exchange Key.
+
+ The private key matching this certificate has been destroyed (but you
+ shouldn't trust this statement).
+
+ - "Microsoft Corporation KEK CA 2011" as second Key Exchange Key
+ (SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30).
+
+ - "Microsoft Windows Production PCA 2011" as first DB entry
+ (SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d).
+
+ - "Microsoft Corporation UEFI CA 2011" as second DB entry
+ (SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3).
+
+ These keys suffice to boot released versions of popular Linux
+ distributions (through the shim.efi utility), and Windows 8 and Windows
+ Server 2012 R2, in Secure Boot mode.
+
+Supported guest operating systems
+---------------------------------
+
+Upstream OVMF does not favor some guest operating systems over others for
+political or ideological reasons. However, some operating systems are harder to
+obtain and/or technically more difficult to support. The general expectation is
+that recent UEFI OSes should just work. Please consult the "OvmfPkg/README"
+file.
+
+The following guest OSes were tested with OVMF:
+- Red Hat Enterprise Linux 6
+- Red Hat Enterprise Linux 7
+- Fedora 18
+- Fedora 19
+- Fedora 20
+- Windows Server 2008 R2 SP1
+- Windows Server 2012
+- Windows 8
+
+Notes about Windows Server 2008 R2 (paraphrasing the "OvmfPkg/README" file):
+
+- QEMU should be started with one of the "-device qxl-vga" and "-device VGA"
+ options.
+
+- Only one video mode, 1024x768x32, is supported at OS runtime.
+
+ Please refer to the section about QemuVideoDxe (OVMF's built-in video driver)
+ for more details on this limitation.
+
+- The qxl-vga video card is recommended ("-device qxl-vga"). After booting the
+ installed guest OS, select the video card in Device Manager, and upgrade the
+ video driver to the QXL XDDM one.
+
+ The QXL XDDM driver can be downloaded from
+ <http://www.spice-space.org/download.html>, under Guest | Windows binaries.
+
+ This driver enables additional graphics resolutions at OS runtime, and
+ provides S3 (suspend/resume) capability.
+
+Notes about Windows Server 2012 and Windows 8:
+
+- QEMU should be started with the "-device qxl-vga,revision=4" option (or a
+ later revision, if available).
+
+- The guest OS's builtin video driver inherits the video mode / frame buffer
+ from OVMF. There's no way to change the resolution at OS runtime.
+
+ For this reason, a platform driver has been developed for OVMF, which allows
+ users to change the preferred video mode in the firmware. Please refer to the
+ section about PlatformDxe for details.
+
+- It is recommended to upgrade the guest OS's video driver to the QXL WDDM one,
+ via Device Manager.
+
+ Binaries for the QXL WDDM driver can be found at
+ <http://people.redhat.com/~vrozenfe/qxlwddm> (pick a version greater than or
+ equal to 0.6), while the source code resides at
+ <https://github.com/vrozenfe/qxl-dod>.
+
+ This driver enables additional graphics resolutions at OS runtime, and
+ provides S3 (suspend/resume) capability.
+
+Compatibility Support Module (CSM)
+----------------------------------
+
+Collaboration between SeaBIOS and OVMF developers has enabled SeaBIOS to be
+built as a Compatibility Support Module, and OVMF to embed and use it.
+
+Benefits of a SeaBIOS CSM include:
+
+- The ability to boot legacy (non-UEFI) operating systems, such as legacy Linux
+ systems, Windows 7, OpenBSD 5.2, FreeBSD 8/9, NetBSD, DragonflyBSD, Solaris
+ 10/11.
+
+- Legacy (non-UEFI-compliant) PCI expansion ROMs, such as a VGA BIOS, mapped by
+ QEMU in emulated devices' ROM BARs, are loaded and executed by OVMF.
+
+ For example, this grants the Windows Server 2008 R2 SP1 guest's native,
+ legacy video driver access to all modes of all QEMU video cards.
+
+Building the CSM target of the SeaBIOS source tree is out of scope for this
+report. Additionally, upstream OVMF does not enable the CSM by default.
+
+Interested users and developers should look for OVMF's "-D CSM_ENABLE"
+build-time option, and check out the <https://www.kraxel.org/repos/> continuous
+integration repository, which provides CSM-enabled OVMF builds.
+
+[RHEL] The "OVMF_CODE.fd" firmware image made available on the Red Hat
+ Enterprise Linux 7.1 host does not include a Compatibility Support
+ Module, for the following reasons:
+
+ - Virtual machines running officially supported, legacy guest operating
+ systems should just use the standalone SeaBIOS firmware. Firmware
+ selection is flexible in virtualization, see eg. "Installation of OVMF
+ guests with virt-manager and virt-install" above.
+
+ - The 16-bit thunking interface between OVMF and SeaBIOS is very complex
+ and presents a large debugging and support burden, based on past
+ experience.
+
+ - Secure Boot is incompatible with CSM.
+
+ - Inter-project dependencies should be minimized whenever possible.
+
+ - Using the default QXL video card, the Windows 2008 R2 SP1 guest can be
+ installed with its built-in, legacy video driver. Said driver will
+ select the only available video mode, 1024x768x32. After installation,
+ the video driver can be upgraded to the full-featured QXL XDDM driver.
+
+Phases of the boot process
+--------------------------
+
+The PI and UEFI specifications, and Intel's UEFI and EDK II Learning and
+Development materials provide ample information on PI and UEFI concepts. The
+following is an absolutely minimal, rough glossary that is included only to
+help readers new to PI and UEFI understand references in later, OVMF-specific
+sections. We defer heavily to the official specifications and the training
+materials, and frequently quote them below.
+
+A central concept to mention early is the GUID -- globally unique identifier. A
+GUID is a 128-bit number, written as XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,
+where each X stands for a hexadecimal nibble. GUIDs are used to name everything
+in PI and in UEFI. Programmers introduce new GUIDs with the "uuidgen" utility,
+and standards bodies standardize well-known services by positing their GUIDs.
+
+The boot process is roughly divided in the following phases:
+
+- Reset vector code.
+
+- SEC: Security phase. This phase is the root of firmware integrity.
+
+- PEI: Pre-EFI Initialization. This phase performs "minimal processor, chipset
+ and platform configuration for the purpose of discovering memory". Modules in
+ PEI collectively save their findings about the platform in a list of HOBs
+ (hand-off blocks).
+
+ When developing PEI code, the Platform Initialization (PI) specification
+ should be consulted.
+
+- DXE: Driver eXecution Environment, pronounced as "Dixie". This "is the phase
+ where the bulk of the booting occurs: devices are enumerated and initialized,
+ UEFI services are supported, and protocols and drivers are implemented. Also,
+ the tables that create the UEFI interface are produced".
+
+ On the PEI/DXE boundary, the HOBs produced by PEI are consumed. For example,
+ this is how the memory space map is configured initially.
+
+- BDS: Boot Device Selection. It is "responsible for determining how and where
+ you want to boot the operating system".
+
+ When developing DXE and BDS code, it is mainly the UEFI specification that
+ should be consulted. When speaking about DXE, BDS is frequently considered to
+ be a part of it.
+
+The following concepts are tied to specific boot process phases:
+
+- PEIM: a PEI Module (pronounced "PIM"). A binary module running in the PEI
+ phase, consuming some PPIs and producing other PPIs, and producing HOBs.
+
+- PPI: PEIM-to-PEIM interface. A structure of function pointers and related
+ data members that establishes a PEI service, or an instance of a PEI service.
+ PPIs are identified by GUID.
+
+ An example is EFI_PEI_S3_RESUME2_PPI (6D582DBC-DB85-4514-8FCC-5ADF6227B147).
+
+- DXE driver: a binary module running in the DXE and BDS phases, consuming some
+ protocols and producing other protocols.
+
+- Protocol: A structure of function pointers and related data members that
+ establishes a DXE service, or an instance of a DXE service. Protocols are
+ identified by GUID.
+
+ An example is EFI_BLOCK_IO_PROTOCOL (964E5B21-6459-11D2-8E39-00A0C969723B).
+
+- Architectural protocols: a set of standard protocols that are foundational to
+ the working of a UEFI system. Each architectural protocol has at most one
+ instance. Architectural protocols are implemented by a subset of DXE drivers.
+ DXE drivers explicitly list the set of protocols (including architectural
+ protocols) that they need to work. UEFI drivers can only be loaded once all
+ architectural protocols have become available during the DXE phase.
+
+ An example is EFI_VARIABLE_WRITE_ARCH_PROTOCOL
+ (6441F818-6362-4E44-B570-7DBA31DD2453).
+
+Project structure
+-----------------
+
+The term "OVMF" usually denotes the project (community and development effort)
+that provide and maintain the subject matter UEFI firmware for virtual
+machines. However the term is also frequently applied to the firmware binary
+proper that a virtual machine executes.
+
+OVMF emerges as a compilation of several modules from the edk2 source
+repository. "edk2" stands for EFI Development Kit II; it is a "modern,
+feature-rich, cross-platform firmware development environment for the UEFI and
+PI specifications".
+
+The composition of OVMF is dictated by the following build control files:
+
+ OvmfPkg/OvmfPkgIa32.dsc
+ OvmfPkg/OvmfPkgIa32.fdf
+
+ OvmfPkg/OvmfPkgIa32X64.dsc
+ OvmfPkg/OvmfPkgIa32X64.fdf
+
+ OvmfPkg/OvmfPkgX64.dsc
+ OvmfPkg/OvmfPkgX64.fdf
+
+The format of these files is described in the edk2 DSC and FDF specifications.
+Roughly, the DSC file determines:
+- library instance resolutions for library class requirements presented by the
+ modules to be compiled,
+- the set of modules to compile.
+
+The FDF file roughly determines:
+- what binary modules (compilation output files, precompiled binaries, graphics
+ image files, verbatim binary sections) to include in the firmware image,
+- how to lay out the firmware image.
+
+The Ia32 flavor of these files builds a firmware where both PEI and DXE phases
+are 32-bit. The Ia32X64 flavor builds a firmware where the PEI phase consists
+of 32-bit modules, and the DXE phase is 64-bit. The X64 flavor builds a purely
+64-bit firmware.
+
+The word size of the DXE phase must match the word size of the runtime OS -- a
+32-bit DXE can't cooperate with a 64-bit OS, and a 64-bit DXE can't work a
+32-bit OS.
+
+OVMF pulls together modules from across the edk2 tree. For example:
+
+- common drivers and libraries that are platform independent are usually
+ located under MdeModulePkg and MdePkg,
+
+- common but hardware-specific drivers and libraries that match QEMU's
+ pc-i440fx-* machine type are pulled in from IntelFrameworkModulePkg,
+ PcAtChipsetPkg and UefiCpuPkg,
+
+- the platform independent UEFI Shell is built from ShellPkg,
+
+- OvmfPkg includes drivers and libraries that are useful for virtual machines
+ and may or may not be specific to QEMU's pc-i440fx-* machine type.
+
+Platform Configuration Database (PCD)
+-------------------------------------
+
+Like the "Phases of the boot process" section, this one introduces a concept in
+very raw form. We defer to the PCD related edk2 specifications, and we won't
+discuss implementation details here. Our purpose is only to offer the reader a
+usable (albeit possibly inaccurate) definition, so that we can refer to PCDs
+later on.
+
+Colloquially, when we say "PCD", we actually mean "PCD entry"; that is, an
+entry stored in the Platform Configuration Database.
+
+The Platform Configuration Database is
+- a firmware-wide
+- name-value store
+- of scalars and buffers
+- where each entry may be
+ - build-time constant, or
+ - run-time dynamic, or
+ - theoretically, a middle option: patchable in the firmware file itself,
+ using a dedicated tool. (OVMF does not utilize externally patchable
+ entries.)
+
+A PCD entry is declared in the DEC file of the edk2 top-level Package directory
+whose modules (drivers and libraries) are the primary consumers of the PCD
+entry. (See for example OvmfPkg/OvmfPkg.dec). Basically, a PCD in a DEC file
+exposes a simple customization point.
+
+Interest in a PCD entry is communicated to the build system by naming the PCD
+entry in the INF file of the interested module (application, driver or
+library). The module may read and -- dependent on the PCD entry's category --
+write the PCD entry.
+
+Let's investigate the characteristics of the Database and the PCD entries.
+
+- Firmware-wide: technically, all modules may access all entries they are
+ interested in, assuming they advertise their interest in their INF files.
+ With careful design, PCDs enable inter-driver propagation of (simple) system
+ configuration. PCDs are available in both PEI and DXE.
+
+ (UEFI drivers meant to be portable (ie. from third party vendors) are not
+ supposed to use PCDs, since PCDs qualify internal to the specific edk2
+ firmware in question.)
+
+- Name-value store of scalars and buffers: each PCD has a symbolic name, and a
+ fixed scalar type (UINT16, UINT32 etc), or VOID* for buffers. Each PCD entry
+ belongs to a namespace, where a namespace is (obviously) a GUID, defined in
+ the DEC file.
+
+- A DEC file can permit several categories for a PCD:
+ - build-time constant ("FixedAtBuild"),
+ - patchable in the firmware image ("PatchableInModule", unused in OVMF),
+ - runtime modifiable ("Dynamic").
+
+The platform description file (DSC) of a top-level Package directory may choose
+the exact category for a given PCD entry that its modules wish to use, and
+assign a default (or constant) initial value to it.
+
+In addition, the edk2 build system too can initialize PCD entries to values
+that it calculates while laying out the flash device image. Such PCD
+assignments are described in the FDF control file.
+
+Firmware image structure
+------------------------
+
+(We assume the common X64 choice for both PEI and DXE, and the default DEBUG
+build target.)
+
+The OvmfPkg/OvmfPkgX64.fdf file defines the following layout for the flash
+device image "OVMF.fd":
+
+ Description Compression type Size
+ ------------------------------ ---------------------- -------
+ Non-volatile data storage open-coded binary data 128 KB
+ Variable store 56 KB
+ Event log 4 KB
+ Working block 4 KB
+ Spare area 64 KB
+
+ FVMAIN_COMPACT uncompressed 1712 KB
+ FV Firmware File System file LZMA compressed
+ PEIFV uncompressed 896 KB
+ individual PEI modules uncompressed
+ DXEFV uncompressed 8192 KB
+ individual DXE modules uncompressed
+
+ SECFV uncompressed 208 KB
+ SEC driver
+ reset vector code
+
+The top-level image consists of three regions (three firmware volumes):
+- non-volatile data store (128 KB),
+- main firmware volume (FVMAIN_COMPACT, 1712 KB),
+- firmware volume containing the reset vector code and the SEC phase code (208
+ KB).
+
+In total, the OVMF.fd file has size 128 KB + 1712 KB + 208 KB == 2 MB.
+
+(1) The firmware volume with non-volatile data store (128 KB) has the following
+ internal structure, in blocks of 4 KB:
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ L: event log
+ LIVE | varstore |L|W| W: working block
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ SPARE | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The first half of this firmware volume is "live", while the second half is
+ "spare". The spare half is important when the variable driver reclaims
+ unused storage and reorganizes the variable store.
+
+ The live half dedicates 14 blocks (56 KB) to the variable store itself. On
+ top of those, one block is set aside for an event log, and one block is
+ used as the working block of the fault tolerant write protocol. Fault
+ tolerant writes are used to recover from an occasional (virtual) power loss
+ during variable updates.
+
+ The blocks in this firmware volume are accessed, in stacking order from
+ least abstract to most abstract, by:
+
+ - EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL (provided by
+ OvmfPkg/QemuFlashFvbServicesRuntimeDxe),
+
+ - EFI_FAULT_TOLERANT_WRITE_PROTOCOL (provided by
+ MdeModulePkg/Universal/FaultTolerantWriteDxe),
+
+ - architectural protocols instrumental to the runtime UEFI variable
+ services:
+ - EFI_VARIABLE_ARCH_PROTOCOL,
+ - EFI_VARIABLE_WRITE_ARCH_PROTOCOL.
+
+ In a non-secure boot build, the DXE driver providing these architectural
+ protocols is MdeModulePkg/Universal/Variable/RuntimeDxe. In a secure boot
+ build, where authenticated variables are available, the DXE driver
+ offering these protocols is SecurityPkg/VariableAuthenticated/RuntimeDxe.
+
+(2) The main firmware volume (FVMAIN_COMPACT, 1712 KB) embeds further firmware
+ volumes. The outermost layer is a Firmware File System (FFS), carrying a
+ single file. This file holds an LZMA-compressed section, which embeds two
+ firmware volumes: PEIFV (896 KB) with PEIMs, and DXEFV (8192 KB) with DXE
+ and UEFI drivers.
+
+ This scheme enables us to build 896 KB worth of PEI drivers and 8192 KB
+ worth of DXE and UEFI drivers, compress them all with LZMA in one go, and
+ store the compressed result in 1712 KB, saving room in the flash device.
+
+(3) The SECFV firmware volume (208 KB) is not compressed. It carries the
+ "volume top file" with the reset vector code, to end at 4 GB in
+ guest-physical address space, and the SEC phase driver (OvmfPkg/Sec).
+
+ The last 16 bytes of the volume top file (mapped directly under 4 GB)
+ contain a NOP slide and a jump instruction. This is where QEMU starts
+ executing the firmware, at address 0xFFFF_FFF0. The reset vector and the
+ SEC driver run from flash directly.
+
+ The SEC driver locates FVMAIN_COMPACT in the flash, and decompresses the
+ main firmware image to RAM. The rest of OVMF (PEI, DXE, BDS phases) run
+ from RAM.
+
+As already mentioned, the OVMF.fd file is mapped by qemu's
+"hw/block/pflash_cfi01.c" device just under 4 GB in guest-physical address
+space, according to the command line option
+
+ -drive if=pflash,format=raw,file=fedora.flash
+
+(refer to the Example qemu invocation). This is a "ROMD device", which can
+switch out of "ROMD mode" and back into it.
+
+Namely, in the default ROMD mode, the guest-physical address range backed by
+the flash device reads and executes as ROM (it does not trap from KVM to QEMU).
+The first write access in this mode traps to QEMU, and flips the device out of
+ROMD mode.
+
+In non-ROMD mode, the flash chip is programmed by storing CFI (Common Flash
+Interface) command values at the flash-covered addresses; both reads and writes
+trap to QEMU, and the flash contents are modified and synchronized to the
+host-side file. A special CFI command flips the flash device back to ROMD mode.
+
+Qemu implements the above based on the KVM_CAP_READONLY_MEM / KVM_MEM_READONLY
+KVM features, and OVMF puts it to use in its EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL
+implementation, under "OvmfPkg/QemuFlashFvbServicesRuntimeDxe".
+
+IMPORTANT: Never pass OVMF.fd to qemu with the -bios option. That option maps
+the firmware image as ROM into the guest's address space, and forces OVMF to
+emulate non-volatile variables with a fallback driver that is bound to have
+insufficient and confusing semantics.
+
+The 128 KB firmware volume with the variable store, discussed under (1), is
+also built as a separate host-side file, named "OVMF_VARS.fd". The "rest" is
+built into a third file, "OVMF_CODE.fd", which is only 1920 KB in size. The
+variable store is mapped into its usual location, at 4 GB - 2 MB = 0xFFE0_0000,
+through the following qemu options:
+
+ -drive if=pflash,format=raw,readonly,file=OVMF_CODE.fd \
+ -drive if=pflash,format=raw,file=fedora.varstore.fd
+
+This way qemu configures two flash chips consecutively, with start addresses
+growing downwards, which is transparent to OVMF.
+
+[RHEL] Red Hat Enterprise Linux 7.1 ships a Secure Boot-enabled, X64, DEBUG
+ firmware only. Furthermore, only the split files ("OVMF_VARS.fd" and
+ "OVMF_CODE.fd") are available.
+
+S3 (suspend to RAM and resume)
+------------------------------
+
+As noted in Example qemu invocation, the
+
+ -global PIIX4_PM.disable_s3=0
+
+command line option tells qemu and OVMF if the user would like to enable S3
+support. (This is corresponds to the /domain/pm/suspend-to-mem/@enabled libvirt
+domain XML attribute.)
+
+Implementing / orchestrating S3 was a considerable community effort in OVMF. A
+detailed description exceeds the scope of this report; we only make a few
+statements.
+
+(1) S3-related PPIs and protocols are well documented in the PI specification.
+
+(2) Edk2 contains most modules that are needed to implement S3 on a given
+ platform. One abstraction that is central to the porting / extending of the
+ S3-related modules to a new platform is the LockBox library interface,
+ which a specific platform can fill in by implementing its own LockBox
+ library instance.
+
+ The LockBox library provides a privileged name-value store (to be addressed
+ by GUIDs). The privilege separation stretches between the firmware and the
+ operating system. That is, the S3-related machinery of the firmware saves
+ some items in the LockBox securely, under well-known GUIDs, before booting
+ the operating system. During resume (which is a form of warm reset), the
+ firmware is activated again, and retrieves items from the LockBox. Before
+ jumping to the OS's resume vector, the LockBox is secured again.
+
+ We'll return to this later when we separately discuss SMRAM and SMM.
+
+(3) During resume, the DXE and later phases are never reached; only the reset
+ vector, and the SEC and PEI phases of the firmware run. The platform is
+ supposed to detect a resume in progress during PEI, and to store that fact
+ in the BootMode field of the Phase Handoff Information Table (PHIT) HOB.
+ OVMF keys this off the CMOS, see OvmfPkg/PlatformPei.
+
+ At the end of PEI, the DXE IPL PEIM (Initial Program Load PEI Module, see
+ MdeModulePkg/Core/DxeIplPeim) examines the Boot Mode, and if it says "S3
+ resume in progress", then the IPL branches to the PEIM that exports
+ EFI_PEI_S3_RESUME2_PPI (provided by UefiCpuPkg/Universal/Acpi/S3Resume2Pei)
+ rather than loading the DXE core.
+
+ S3Resume2Pei executes the technical steps of the resumption, relying on the
+ contents of the LockBox.
+
+(4) During first boot (or after a normal platform reset), when DXE does run,
+ hardware drivers in the DXE phase are encouraged to "stash" their hardware
+ configuration steps (eg. accesses to PCI config space, I/O ports, memory
+ mapped addresses, and so on) in a centrally maintained, so called "S3 boot
+ script". Hardware accesses are represented with opcodes of a special binary
+ script language.
+
+ This boot script is to be replayed during resume, by S3Resume2Pei. The
+ general goal is to bring back hardware devices -- which have been powered
+ off during suspend -- to their original after-first-boot state, and in
+ particular, to do so quickly.
+
+ At the moment, OVMF saves only one opcode in the S3 resume boot script: an
+ INFORMATION opcode, with contents 0xDEADBEEF (in network byte order). The
+ consensus between Linux developers seems to be that boot firmware is only
+ responsible for restoring basic chipset state, which OVMF does during PEI
+ anyway, independently of S3 vs. normal reset. (One example is the power
+ management registers of the i440fx chipset.) Device and peripheral state is
+ the responsibility of the runtime operating system.
+
+ Although an experimental OVMF S3 boot script was at one point captured for
+ the virtual Cirrus VGA card, such a boot script cannot follow eg. video
+ mode changes effected by the OS. Hence the operating system can never avoid
+ restoring device state, and most Linux display drivers (eg. stdvga, QXL)
+ already cover S3 resume fully.
+
+ The XDDM and WDDM driver models used under Windows OSes seem to recognize
+ this notion of runtime OS responsibility as well. (See the list of OSes
+ supported by OVMF in a separate section.)
+
+(5) The S3 suspend/resume data flow in OVMF is included here tersely, for
+ interested developers.
+
+ (a) BdsLibBootViaBootOption()
+ EFI_ACPI_S3_SAVE_PROTOCOL [AcpiS3SaveDxe]
+ - saves ACPI S3 Context to LockBox ---------------------+
+ (including FACS address -- FACS ACPI table |
+ contains OS waking vector) |
+ |
+ - prepares boot script: |
+ EFI_S3_SAVE_STATE_PROTOCOL.Write() [S3SaveStateDxe] |
+ S3BootScriptLib [PiDxeS3BootScriptLib] |
+ - opcodes & arguments are saved in NVS. --+ |
+ | |
+ - issues a notification by installing | |
+ EFI_DXE_SMM_READY_TO_LOCK_PROTOCOL | |
+ | |
+ (b) EFI_S3_SAVE_STATE_PROTOCOL [S3SaveStateDxe] | |
+ S3BootScriptLib [PiDxeS3BootScriptLib] | |
+ - closes script with special opcode <---------+ |
+ - script is available in non-volatile memory |
+ via PcdS3BootScriptTablePrivateDataPtr --+ |
+ | |
+ BootScriptExecutorDxe | |
+ S3BootScriptLib [PiDxeS3BootScriptLib] | |
+ - Knows about boot script location by <----+ |
+ synchronizing with the other library |
+ instance via |
+ PcdS3BootScriptTablePrivateDataPtr. |
+ - Copies relocated image of itself to |
+ reserved memory. --------------------------------+ |
+ - Saved image contains pointer to boot script. ---|--+ |
+ | | |
+ Runtime: | | |
+ | | |
+ (c) OS is booted, writes OS waking vector to FACS, | | |
+ suspends machine | | |
+ | | |
+ S3 Resume (PEI): | | |
+ | | |
+ (d) PlatformPei sets S3 Boot Mode based on CMOS | | |
+ | | |
+ (e) DXE core is skipped and EFI_PEI_S3_RESUME2 is | | |
+ called as last step of PEI | | |
+ | | |
+ (f) S3Resume2Pei retrieves from LockBox: | | |
+ - ACPI S3 Context (path to FACS) <------------------|--|--+
+ | | |
+ +------------------|--|--+
+ - Boot Script Executor Image <----------------------+ | |
+ | |
+ (g) BootScriptExecutorDxe | |
+ S3BootScriptLib [PiDxeS3BootScriptLib] | |
+ - executes boot script <-----------------------------+ |
+ |
+ (h) OS waking vector available from ACPI S3 Context / FACS <--+
+ is called
+
+A comprehensive memory map of OVMF
+----------------------------------
+
+The following section gives a detailed analysis of memory ranges below 4 GB
+that OVMF statically uses.
+
+In the rightmost column, the PCD entry is identified by which the source refers
+to the address or size in question.
+
+The flash-covered range has been discussed previously in "Firmware image
+structure", therefore we include it only for completeness. Due to the fact that
+this range is always backed by a memory mapped device (and never RAM), it is
+unaffected by S3 (suspend to RAM and resume).
+
++--------------------------+ 4194304 KB
+| |
+| SECFV | size: 208 KB
+| |
++--------------------------+ 4194096 KB
+| |
+| FVMAIN_COMPACT | size: 1712 KB
+| |
++--------------------------+ 4192384 KB
+| |
+| variable store | size: 64 KB PcdFlashNvStorageFtwSpareSize
+| spare area |
+| |
++--------------------------+ 4192320 KB PcdOvmfFlashNvStorageFtwSpareBase
+| |
+| FTW working block | size: 4 KB PcdFlashNvStorageFtwWorkingSize
+| |
++--------------------------+ 4192316 KB PcdOvmfFlashNvStorageFtwWorkingBase
+| |
+| Event log of | size: 4 KB PcdOvmfFlashNvStorageEventLogSize
+| non-volatile storage |
+| |
++--------------------------+ 4192312 KB PcdOvmfFlashNvStorageEventLogBase
+| |
+| variable store | size: 56 KB PcdFlashNvStorageVariableSize
+| |
++--------------------------+ 4192256 KB PcdOvmfFlashNvStorageVariableBase
+
+The flash-mapped image of OVMF.fd covers the entire structure above (2048 KB).
+
+When using the split files, the address 4192384 KB
+(PcdOvmfFlashNvStorageFtwSpareBase + PcdFlashNvStorageFtwSpareSize) is the
+boundary between the mapped images of OVMF_VARS.fd (56 KB + 4 KB + 4 KB + 64 KB
+= 128 KB) and OVMF_CODE.fd (1712 KB + 208 KB = 1920 KB).
+
+With regard to RAM that is statically used by OVMF, S3 (suspend to RAM and
+resume) complicates matters. Many ranges have been introduced only to support
+S3, hence for all ranges below, the following questions will be audited:
+
+(a) when and how a given range is initialized after first boot of the VM,
+(b) how it is protected from memory allocations during DXE,
+(c) how it is protected from the OS,
+(d) how it is accessed on the S3 resume path,
+(e) how it is accessed on the warm reset path.
+
+Importantly, the term "protected" is meant as protection against inadvertent
+reallocations and overwrites by co-operating DXE and OS modules. It does not
+imply security against malicious code.
+
++--------------------------+ 17408 KB
+| |
+|DXEFV from FVMAIN_COMPACT | size: 8192 KB PcdOvmfDxeMemFvSize
+| decompressed firmware |
+| volume with DXE modules |
+| |
++--------------------------+ 9216 KB PcdOvmfDxeMemFvBase
+| |
+|PEIFV from FVMAIN_COMPACT | size: 896 KB PcdOvmfPeiMemFvSize
+| decompressed firmware |
+| volume with PEI modules |
+| |
++--------------------------+ 8320 KB PcdOvmfPeiMemFvBase
+| |
+| permanent PEI memory for | size: 32 KB PcdS3AcpiReservedMemorySize
+| the S3 resume path |
+| |
++--------------------------+ 8288 KB PcdS3AcpiReservedMemoryBase
+| |
+| temporary SEC/PEI heap | size: 32 KB PcdOvmfSecPeiTempRamSize
+| and stack |
+| |
++--------------------------+ 8256 KB PcdOvmfSecPeiTempRamBase
+| |
+| unused | size: 32 KB
+| |
++--------------------------+ 8224 KB
+| |
+| SEC's table of | size: 4 KB PcdGuidedExtractHandlerTableSize
+| GUIDed section handlers |
+| |
++--------------------------+ 8220 KB PcdGuidedExtractHandlerTableAddress
+| |
+| LockBox storage | size: 4 KB PcdOvmfLockBoxStorageSize
+| |
++--------------------------+ 8216 KB PcdOvmfLockBoxStorageBase
+| |
+| early page tables on X64 | size: 24 KB PcdOvmfSecPageTablesSize
+| |
++--------------------------+ 8192 KB PcdOvmfSecPageTablesBase
+
+(1) Early page tables on X64:
+
+ (a) when and how it is initialized after first boot of the VM
+
+ The range is filled in during the SEC phase
+ [OvmfPkg/ResetVector/Ia32/PageTables64.asm]. The CR3 register is verified
+ against the base address in SecCoreStartupWithStack()
+ [OvmfPkg/Sec/SecMain.c].
+
+ (b) how it is protected from memory allocations during DXE
+
+ If S3 was enabled on the QEMU command line (see "-global
+ PIIX4_PM.disable_s3=0" earlier), then InitializeRamRegions()
+ [OvmfPkg/PlatformPei/MemDetect.c] protects the range with an AcpiNVS memory
+ allocation HOB, in PEI.
+
+ If S3 was disabled, then this range is not protected. DXE's own page tables
+ are first built while still in PEI (see HandOffToDxeCore()
+ [MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c]). Those tables are located
+ in permanent PEI memory. After CR3 is switched over to them (which occurs
+ before jumping to the DXE core entry point), we don't have to preserve the
+ initial tables.
+
+ (c) how it is protected from the OS
+
+ If S3 is enabled, then (1b) reserves it from the OS too.
+
+ If S3 is disabled, then the range needs no protection.
+
+ (d) how it is accessed on the S3 resume path
+
+ It is rewritten same as in (1a), which is fine because (1c) reserved it.
+
+ (e) how it is accessed on the warm reset path
+
+ It is rewritten same as in (1a).
+
+(2) LockBox storage:
+
+ (a) when and how it is initialized after first boot of the VM
+
+ InitializeRamRegions() [OvmfPkg/PlatformPei/MemDetect.c] zeroes out the
+ area during PEI. This is correct but not strictly necessary, since on first
+ boot the area is zero-filled anyway.
+
+ The LockBox signature of the area is filled in by the PEI module or DXE
+ driver that has been linked against OVMF's LockBoxLib and is run first. The
+ signature is written in LockBoxLibInitialize()
+ [OvmfPkg/Library/LockBoxLib/LockBoxLib.c].
+
+ Any module calling SaveLockBox() [OvmfPkg/Library/LockBoxLib/LockBoxLib.c]
+ will co-populate this area.
+
+ (b) how it is protected from memory allocations during DXE
+
+ If S3 is enabled, then InitializeRamRegions()
+ [OvmfPkg/PlatformPei/MemDetect.c] protects the range as AcpiNVS.
+
+ Otherwise, the range is covered with a BootServicesData memory allocation
+ HOB.
+
+ (c) how it is protected from the OS
+
+ If S3 is enabled, then (2b) protects it sufficiently.
+
+ Otherwise the range requires no runtime protection, and the
+ BootServicesData allocation type from (2b) ensures that the range will be
+ released to the OS.
+
+ (d) how it is accessed on the S3 resume path
+
+ The S3 Resume PEIM restores data from the LockBox, which has been correctly
+ protected in (2c).
+
+ (e) how it is accessed on the warm reset path
+
+ InitializeRamRegions() [OvmfPkg/PlatformPei/MemDetect.c] zeroes out the
+ range during PEI, effectively emptying the LockBox. Modules will
+ re-populate the LockBox as described in (2a).
+
+(3) SEC's table of GUIDed section handlers
+
+ (a) when and how it is initialized after first boot of the VM
+
+ The following two library instances are linked into SecMain:
+ - IntelFrameworkModulePkg/Library/LzmaCustomDecompressLib,
+ - MdePkg/Library/BaseExtractGuidedSectionLib.
+
+ The first library registers its LZMA decompressor plugin (which is a called
+ a "section handler") by calling the second library:
+
+ LzmaDecompressLibConstructor() [GuidedSectionExtraction.c]
+ ExtractGuidedSectionRegisterHandlers() [BaseExtractGuidedSectionLib.c]
+
+ The second library maintains its table of registered "section handlers", to
+ be indexed by GUID, in this fixed memory area, independently of S3
+ enablement.
+
+ (The decompression of FVMAIN_COMPACT's FFS file section that contains the
+ PEIFV and DXEFV firmware volumes occurs with the LZMA decompressor
+ registered above. See (6) and (7) below.)
+
+ (b) how it is protected from memory allocations during DXE
+
+ There is no need to protect this area from DXE: because nothing else in
+ OVMF links against BaseExtractGuidedSectionLib, the area loses its
+ significance as soon as OVMF progresses from SEC to PEI, therefore DXE is
+ allowed to overwrite the region.
+
+ (c) how it is protected from the OS
+
+ When S3 is enabled, we cover the range with an AcpiNVS memory allocation
+ HOB in InitializeRamRegions().
+
+ When S3 is disabled, the range is not protected.
+
+ (d) how it is accessed on the S3 resume path
+
+ The table of registered section handlers is again managed by
+ BaseExtractGuidedSectionLib linked into SecMain exclusively. Section
+ handler registrations update the table in-place (based on GUID matches).
+
+ (e) how it is accessed on the warm reset path
+
+ If S3 is enabled, then the OS won't damage the table (due to (3c)), thus
+ see (3d).
+
+ If S3 is disabled, then the OS has most probably overwritten the range with
+ its own data, hence (3a) -- complete reinitialization -- will come into
+ effect, based on the table signature check in BaseExtractGuidedSectionLib.
+
+(4) temporary SEC/PEI heap and stack
+
+ (a) when and how it is initialized after first boot of the VM
+
+ The range is configured in [OvmfPkg/Sec/X64/SecEntry.S] and
+ SecCoreStartupWithStack() [OvmfPkg/Sec/SecMain.c]. The stack half is read &
+ written by the CPU transparently. The heap half is used for memory
+ allocations during PEI.
+
+ Data is migrated out (to permanent PEI stack & memory) in (or soon after)
+ PublishPeiMemory() [OvmfPkg/PlatformPei/MemDetect.c].
+
+ (b) how it is protected from memory allocations during DXE
+
+ It is not necessary to protect this range during DXE because its use ends
+ still in PEI.
+
+ (c) how it is protected from the OS
+
+ If S3 is enabled, then InitializeRamRegions()
+ [OvmfPkg/PlatformPei/MemDetect.c] reserves it as AcpiNVS.
+
+ If S3 is disabled, then the range doesn't require protection.
+
+ (d) how it is accessed on the S3 resume path
+
+ Same as in (4a), except the target area of the migration triggered by
+ PublishPeiMemory() [OvmfPkg/PlatformPei/MemDetect.c] is different -- see
+ (5).
+
+ (e) how it is accessed on the warm reset path
+
+ Same as in (4a). The stack and heap halves both may contain garbage, but it
+ doesn't matter.
+
+(5) permanent PEI memory for the S3 resume path
+
+ (a) when and how it is initialized after first boot of the VM
+
+ No particular initialization or use.
+
+ (b) how it is protected from memory allocations during DXE
+
+ We don't need to protect this area during DXE.
+
+ (c) how it is protected from the OS
+
+ When S3 is enabled, InitializeRamRegions()
+ [OvmfPkg/PlatformPei/MemDetect.c] makes sure the OS stays away by covering
+ the range with an AcpiNVS memory allocation HOB.
+
+ When S3 is disabled, the range needs no protection.
+
+ (d) how it is accessed on the S3 resume path
+
+ PublishPeiMemory() installs the range as permanent RAM for PEI. The range
+ will serve as stack and will satisfy allocation requests during the rest of
+ PEI. OS data won't overlap due to (5c).
+
+ (e) how it is accessed on the warm reset path
+
+ Same as (5a).
+
+(6) PEIFV -- decompressed firmware volume with PEI modules
+
+ (a) when and how it is initialized after first boot of the VM
+
+ DecompressMemFvs() [OvmfPkg/Sec/SecMain.c] populates the area, by
+ decompressing the flash-mapped FVMAIN_COMPACT volume's contents. (Refer to
+ "Firmware image structure".)
+
+ (b) how it is protected from memory allocations during DXE
+
+ When S3 is disabled, PeiFvInitialization() [OvmfPkg/PlatformPei/Fv.c]
+ covers the range with a BootServicesData memory allocation HOB.
+
+ When S3 is enabled, the same is coverage is ensured, just with the stronger
+ AcpiNVS memory allocation type.
+
+ (c) how it is protected from the OS
+
+ When S3 is disabled, it is not necessary to keep the range from the OS.
+
+ Otherwise the AcpiNVS type allocation from (6b) provides coverage.
+
+ (d) how it is accessed on the S3 resume path
+
+ Rather than decompressing it again from FVMAIN_COMPACT, GetS3ResumePeiFv()
+ [OvmfPkg/Sec/SecMain.c] reuses the protected area for parsing / execution
+ from (6c).
+
+ (e) how it is accessed on the warm reset path
+
+ Same as (6a).
+
+(7) DXEFV -- decompressed firmware volume with DXE modules
+
+ (a) when and how it is initialized after first boot of the VM
+
+ Same as (6a).
+
+ (b) how it is protected from memory allocations during DXE
+
+ PeiFvInitialization() [OvmfPkg/PlatformPei/Fv.c] covers the range with a
+ BootServicesData memory allocation HOB.
+
+ (c) how it is protected from the OS
+
+ The OS is allowed to release and reuse this range.
+
+ (d) how it is accessed on the S3 resume path
+
+ It's not; DXE never runs during S3 resume.
+
+ (e) how it is accessed on the warm reset path
+
+ Same as in (7a).
+
+Known Secure Boot limitations
+-----------------------------
+
+Under "Motivation" we've mentioned that OVMF's Secure Boot implementation is
+not suitable for production use yet -- it's only good for development and
+testing of standards-conformant, non-malicious guest code (UEFI and operating
+system alike).
+
+Now that we've examined the persistent flash device, the workings of S3, and
+the memory map, we can discuss two currently known shortcomings of OVMF's
+Secure Boot that in fact make it insecure. (Clearly problems other than these
+two might exist; the set of issues considered here is not meant to be
+exhaustive.)
+
+One trait of Secure Boot is tamper-evidence. Secure Boot may not prevent
+malicious modification of software components (for example, operating system
+drivers), but by being the root of integrity on a platform, it can catch (or
+indirectly contribute to catching) unauthorized changes, by way of signature
+and certificate checks at the earliest phases of boot.
+
+If an attacker can tamper with key material stored in authenticated and/or
+boot-time only persistent variables (for example, PK, KEK, db, dbt, dbx), then
+the intended security of this scheme is compromised. The UEFI 2.4A
+specification says
+
+- in section 28.3.4:
+
+ Platform Keys:
+
+ The public key must be stored in non-volatile storage which is tamper and
+ delete resistant.
+
+ Key Exchange Keys:
+
+ The public key must be stored in non-volatile storage which is tamper
+ resistant.
+
+- in section 28.6.1:
+
+ The signature database variables db, dbt, and dbx must be stored in
+ tamper-resistant non-volatile storage.
+
+(1) The combination of QEMU, KVM, and OVMF does not provide this kind of
+ resistance. The variable store in the emulated flash chip is directly
+ accessible to, and reprogrammable by, UEFI drivers, applications, and
+ operating systems.
+
+(2) Under "S3 (suspend to RAM and resume)" we pointed out that the LockBox
+ storage must be similarly secure and tamper-resistant.
+
+ On the S3 resume path, the PEIM providing EFI_PEI_S3_RESUME2_PPI
+ (UefiCpuPkg/Universal/Acpi/S3Resume2Pei) restores and interprets data from
+ the LockBox that has been saved there during boot. This PEIM, being part of
+ the firmware, has full access to the platform. If an operating system can
+ tamper with the contents of the LockBox, then at the next resume the
+ platform's integrity might be subverted.
+
+ OVMF stores the LockBox in normal guest RAM (refer to the memory map
+ section above). Operating systems and third party UEFI drivers and UEFI
+ applications that respect the UEFI memory map will not inadvertently
+ overwrite the LockBox storage, but there's nothing to prevent eg. a
+ malicious kernel from modifying the LockBox.
+
+One means to address these issues is SMM and SMRAM (System Management Mode and
+System Management RAM).
+
+During boot and resume, the firmware can enter and leave SMM and access SMRAM.
+Before the DXE phase is left, and control is transferred to the BDS phase (when
+third party UEFI drivers and applications can be loaded, and an operating
+system can be loaded), SMRAM is locked in hardware, and subsequent modules
+cannot access it directly. (See EFI_DXE_SMM_READY_TO_LOCK_PROTOCOL.)
+
+Once SMRAM has been locked, UEFI drivers and the operating system can enter SMM
+by raising a System Management Interrupt (SMI), at which point trusted code
+(part of the platform firmware) takes control. SMRAM is also unlocked by
+platform reset, at which point the boot firmware takes control again.
+
+Variable store and LockBox in SMRAM
+-----------------------------------
+
+Edk2 provides almost all components to implement the variable store and the
+LockBox in SMRAM. In this section we summarize ideas for utilizing those
+facilities.
+
+The SMRAM and SMM infrastructure in edk2 is built up as follows:
+
+(1) The platform hardware provides SMM / SMI / SMRAM.
+
+ Qemu/KVM doesn't support these features currently and should implement them
+ in the longer term.
+
+(2) The platform vendor (in this case, OVMF developers) implement device
+ drivers for the platform's System Management Mode:
+
+ - EFI_SMM_CONTROL2_PROTOCOL: for raising a synchronous (and/or) periodic
+ SMI(s); that is, for entering SMM.
+
+ - EFI_SMM_ACCESS2_PROTOCOL: for describing and accessing SMRAM.
+
+ These protocols are documented in the PI Specification, Volume 4.
+
+(3) The platform DSC file is to include the following platform-independent
+ modules:
+
+ - MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf: SMM Initial Program Load
+ - MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf: SMM Core
+
+(4) At this point, modules of type DXE_SMM_DRIVER can be loaded.
+
+ Such drivers are privileged. They run in SMM, have access to SMRAM, and are
+ separated and switched from other drivers through SMIs. Secure
+ communication between unprivileged (non-SMM) and privileged (SMM) drivers
+ happens through EFI_SMM_COMMUNICATION_PROTOCOL (implemented by the SMM
+ Core, see (3)).
+
+ DXE_SMM_DRIVER modules must sanitize their input (coming from unprivileged
+ drivers) carefully.
+
+(5) The authenticated runtime variable services driver (for Secure Boot builds)
+ is located under "SecurityPkg/VariableAuthenticated/RuntimeDxe". OVMF
+ currently builds the driver (a DXE_RUNTIME_DRIVER module) with the
+ "VariableRuntimeDxe.inf" control file (refer to "OvmfPkg/OvmfPkgX64.dsc"),
+ which does not use SMM.
+
+ The directory includes two more INF files:
+
+ - VariableSmm.inf -- module type: DXE_SMM_DRIVER. A privileged driver that
+ runs in SMM and has access to SMRAM.
+
+ - VariableSmmRuntimeDxe.inf -- module type: DXE_RUNTIME_DRIVER. A
+ non-privileged driver that implements the variable runtime services
+ (replacing the current "VariableRuntimeDxe.inf" file) by communicating
+ with the above privileged SMM half via EFI_SMM_COMMUNICATION_PROTOCOL.
+
+(6) An SMRAM-based LockBox implementation needs to be discussed in two parts,
+ because the LockBox is accessed in both PEI and DXE.
+
+ (a) During DXE, drivers save data in the LockBox. A save operation is
+ layered as follows:
+
+ - The unprivileged driver wishing to store data in the LockBox links
+ against the "MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxDxeLib.inf"
+ library instance.
+
+ The library allows the unprivileged driver to format requests for the
+ privileged SMM LockBox driver (see below), and to parse responses.
+
+ - The privileged SMM LockBox driver is built from
+ "MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.inf". This
+ driver has module type DXE_SMM_DRIVER and can access SMRAM.
+
+ The driver delegates command parsing and response formatting to
+ "MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.inf".
+
+ - The above two halves (unprivileged and privileged) mirror what we've
+ seen in case of the variable service drivers, under (5).
+
+ (b) In PEI, the S3 Resume PEIM (UefiCpuPkg/Universal/Acpi/S3Resume2Pei)
+ retrieves data from the LockBox.
+
+ Presumably, S3Resume2Pei should be considered an "unprivileged PEIM",
+ and the SMRAM access should be layered as seen in DXE. Unfortunately,
+ edk2 does not implement all of the layers in PEI -- the code either
+ doesn't exist, or it is not open source:
+
+ role | DXE: protocol/module | PEI: PPI/module
+ -------------+--------------------------------+------------------------------
+ unprivileged | any | S3Resume2Pei.inf
+ driver | |
+ -------------+--------------------------------+------------------------------
+ command | LIBRARY_CLASS = LockBoxLib | LIBRARY_CLASS = LockBoxLib
+ formatting | |
+ and response | SmmLockBoxDxeLib.inf | SmmLockBoxPeiLib.inf
+ parsing | |
+ -------------+--------------------------------+------------------------------
+ privilege | EFI_SMM_COMMUNICATION_PROTOCOL | EFI_PEI_SMM_COMMUNICATION_PPI
+ separation | |
+ | PiSmmCore.inf | missing!
+ -------------+--------------------------------+------------------------------
+ platform SMM | EFI_SMM_CONTROL2_PROTOCOL | PEI_SMM_CONTROL_PPI
+ and SMRAM | EFI_SMM_ACCESS2_PROTOCOL | PEI_SMM_ACCESS_PPI
+ access | |
+ | to be done in OVMF | to be done in OVMF
+ -------------+--------------------------------+------------------------------
+ command | LIBRARY_CLASS = LockBoxLib | LIBRARY_CLASS = LockBoxLib
+ parsing and | |
+ response | SmmLockBoxSmmLib.inf | missing!
+ formatting | |
+ -------------+--------------------------------+------------------------------
+ privileged | SmmLockBox.inf | missing!
+ LockBox | |
+ driver | |
+
+ Alternatively, in the future OVMF might be able to provide a LockBoxLib
+ instance (an SmmLockBoxPeiLib substitute) for S3Resume2Pei that
+ accesses SMRAM directly, eliminating the need for deeper layers in the
+ stack (that is, EFI_PEI_SMM_COMMUNICATION_PPI and deeper).
+
+ In fact, a "thin" EFI_PEI_SMM_COMMUNICATION_PPI implementation whose
+ sole Communicate() member invariably returns EFI_NOT_STARTED would
+ cause the current SmmLockBoxPeiLib library instance to directly perform
+ full-depth SMRAM access and LockBox search, obviating the "missing"
+ cells. (With reference to A Tour Beyond BIOS: Implementing S3 Resume
+ with EDK2, by Jiewen Yao and Vincent Zimmer, October 2014.)
+
+Select features
+---------------
+
+In this section we'll browse the top-level "OvmfPkg" package directory, and
+discuss the more interesting drivers and libraries that have not been mentioned
+thus far.
+
+X64-specific reset vector for OVMF
+..................................
+
+The "OvmfPkg/ResetVector" directory customizes the reset vector (found in
+"UefiCpuPkg/ResetVector/Vtf0") for "OvmfPkgX64.fdf", that is, when the SEC/PEI
+phases run in 64-bit (ie. long) mode.
+
+The reset vector's control flow looks roughly like:
+
+ resetVector [Ia16/ResetVectorVtf0.asm]
+ EarlyBspInitReal16 [Ia16/Init16.asm]
+ Main16 [Main.asm]
+ EarlyInit16 [Ia16/Init16.asm]
+
+ ; Transition the processor from
+ ; 16-bit real mode to 32-bit flat mode
+ TransitionFromReal16To32BitFlat [Ia16/Real16ToFlat32.asm]
+
+ ; Search for the
+ ; Boot Firmware Volume (BFV)
+ Flat32SearchForBfvBase [Ia32/SearchForBfvBase.asm]
+
+ ; Search for the SEC entry point
+ Flat32SearchForSecEntryPoint [Ia32/SearchForSecEntry.asm]
+
+ %ifdef ARCH_IA32
+ ; Jump to the 32-bit SEC entry point
+ %else
+ ; Transition the processor
+ ; from 32-bit flat mode
+ ; to 64-bit flat mode
+ Transition32FlatTo64Flat [Ia32/Flat32ToFlat64.asm]
+
+ SetCr3ForPageTables64 [Ia32/PageTables64.asm]
+ ; set CR3 to page tables
+ ; built into the ROM image
+
+ ; enable PAE
+ ; set LME
+ ; enable paging
+
+ ; Jump to the 64-bit SEC entry point
+ %endif
+
+On physical platforms, the initial page tables referenced by
+SetCr3ForPageTables64 are built statically into the flash device image, and are
+present in ROM at runtime. This is fine on physical platforms because the
+pre-built page table entries have the Accessed and Dirty bits set from the
+start.
+
+Accordingly, for OVMF running in long mode on qemu/KVM, the initial page tables
+were mapped as a KVM_MEM_READONLY slot, as part of QEMU's pflash device (refer
+to "Firmware image structure" above).
+
+In spite of the Accessed and Dirty bits being pre-set in the read-only,
+in-flash PTEs, in a virtual machine attempts are made to update said PTE bits,
+differently from physical hardware. The component attempting to update the
+read-only PTEs can be one of the following:
+
+- The processor itself, if it supports nested paging, and the user enables that
+ processor feature,
+
+- KVM code implementing shadow paging, otherwise.
+
+The first case presents no user-visible symptoms, but the second case (KVM,
+shadow paging) used to cause a triple fault, prior to Linux commit ba6a354
+("KVM: mmu: allow page tables to be in read-only slots").
+
+For compatibility with earlier KVM versions, the OvmfPkg/ResetVector directory
+adapts the generic reset vector code as follows:
+
+ Transition32FlatTo64Flat [UefiCpuPkg/.../Ia32/Flat32ToFlat64.asm]
+
+ SetCr3ForPageTables64 [OvmfPkg/ResetVector/Ia32/PageTables64.asm]
+
+ ; dynamically build the initial page tables in RAM, at address
+ ; PcdOvmfSecPageTablesBase (refer to the memory map above),
+ ; identity-mapping the first 4 GB of address space
+
+ ; set CR3 to PcdOvmfSecPageTablesBase
+
+ ; enable PAE
+ ; set LME
+ ; enable paging
+
+This way the PTEs that earlier KVM versions try to update (during shadow
+paging) are located in a read-write memory slot, and the write attempts
+succeed.
+
+Client library for QEMU's firmware configuration interface
+..........................................................
+
+QEMU provides a write-only, 16-bit wide control port, and a read-write, 8-bit
+wide data port for exchanging configuration elements with the firmware.
+
+The firmware writes a selector (a key) to the control port (0x510), and then
+reads the corresponding configuration data (produced by QEMU) from the data
+port (0x511).
+
+If the selected entry is writable, the firmware may overwrite it. If QEMU has
+associated a callback with the entry, then when the entry is completely
+rewritten, QEMU runs the callback. (OVMF does not rewrite any entries at the
+moment.)
+
+A number of selector values (keys) are predefined. In particular, key 0x19
+selects (returns) a directory of { name, selector, size } triplets, roughly
+speaking.
+
+The firmware can request configuration elements by well-known name as well, by
+looking up the selector value first in the directory, by name, and then writing
+the selector to the control port. The number of bytes to read subsequently from
+the data port is known from the directory entry's "size" field.
+
+By convention, directory entries (well-known symbolic names of configuration
+elements) are formatted as POSIX pathnames. For example, the array selected by
+the "etc/system-states" name indicates (among other things) whether the user
+enabled S3 support in QEMU.
+
+The above interface is called "fw_cfg".
+
+The binary data associated with a symbolic name is called an "fw_cfg file".
+
+OVMF's fw_cfg client library is found in "OvmfPkg/Library/QemuFwCfgLib". OVMF
+discovers many aspects of the virtual system with it; we refer to a few
+examples below.
+
+Guest ACPI tables
+.................
+
+An operating system discovers a good amount of its hardware by parsing ACPI
+tables, and by interpreting ACPI objects and methods. On physical hardware, the
+platform vendor's firmware installs ACPI tables in memory that match both the
+hardware present in the system and the user's firmware configuration ("BIOS
+setup").
+
+Under qemu/KVM, the owner of the (virtual) hardware configuration is QEMU.
+Hardware can easily be reconfigured on the command line. Furthermore, features
+like CPU hotplug, PCI hotplug, memory hotplug are continuously developed for
+QEMU, and operating systems need direct ACPI support to exploit these features.
+
+For this reason, QEMU builds its own ACPI tables dynamically, in a
+self-descriptive manner, and exports them to the firmware through a complex,
+multi-file fw_cfg interface. It is rooted in the "etc/table-loader" fw_cfg
+file. (Further details of this interface are out of scope for this report.)
+
+OVMF's AcpiPlatformDxe driver fetches the ACPI tables, and installs them for
+the guest OS with the EFI_ACPI_TABLE_PROTOCOL (which is in turn provided by the
+generic "MdeModulePkg/Universal/Acpi/AcpiTableDxe" driver).
+
+For earlier QEMU versions and machine types (which we generally don't recommend
+for OVMF; see "Scope"), the "OvmfPkg/AcpiTables" directory contains a few
+static ACPI table templates. When the "etc/table-loader" fw_cfg file is
+unavailable, AcpiPlatformDxe installs these default tables (with a little bit
+of dynamic patching).
+
+When OVMF runs in a Xen domU, AcpiTableDxe also installs ACPI tables that
+originate from the hypervisor's environment.
+
+Guest SMBIOS tables
+...................
+
+Quoting the SMBIOS Reference Specification,
+
+ [...] the System Management BIOS Reference Specification addresses how
+ motherboard and system vendors present management information about their
+ products in a standard format [...]
+
+In practice SMBIOS tables are just another set of tables that the platform
+vendor's firmware installs in RAM for the operating system, and, importantly,
+for management applications running on the OS. Without rehashing the "Guest
+ACPI tables" section in full, let's map the OVMF roles seen there from ACPI to
+SMBIOS:
+
+ role | ACPI | SMBIOS
+ -------------------------+-------------------------+-------------------------
+ fw_cfg file | etc/table-loader | etc/smbios/smbios-tables
+ -------------------------+-------------------------+-------------------------
+ OVMF driver | AcpiPlatformDxe | SmbiosPlatformDxe
+ under "OvmfPkg" | |
+ -------------------------+-------------------------+-------------------------
+ Underlying protocol, | EFI_ACPI_TABLE_PROTOCOL | EFI_SMBIOS_PROTOCOL
+ implemented by generic | |
+ driver under | Acpi/AcpiTableDxe | SmbiosDxe
+ "MdeModulePkg/Universal" | |
+ -------------------------+-------------------------+-------------------------
+ default tables available | yes | [RHEL] yes, Type0 and
+ for earlier QEMU machine | | Type1 tables
+ types, with hot-patching | |
+ -------------------------+-------------------------+-------------------------
+ tables fetched in Xen | yes | yes
+ domUs | |
+
+Platform-specific boot policy
+.............................
+
+OVMF's BDS (Boot Device Selection) phase is implemented by
+IntelFrameworkModulePkg/Universal/BdsDxe. Roughly speaking, this large driver:
+
+- provides the EFI BDS architectural protocol (which DXE transfers control to
+ after dispatching all DXE drivers),
+
+- connects drivers to devices,
+
+- enumerates boot devices,
+
+- auto-generates boot options,
+
+- provides "BIOS setup" screens, such as:
+
+ - Boot Manager, for booting an option,
+
+ - Boot Maintenance Manager, for adding, deleting, and reordering boot
+ options, changing console properties etc,
+
+ - Device Manager, where devices can register configuration forms, including
+
+ - Secure Boot configuration forms,
+
+ - OVMF's Platform Driver form (see under PlatformDxe).
+
+Firmware that includes the "IntelFrameworkModulePkg/Universal/BdsDxe" driver
+can customize its behavior by providing an instance of the PlatformBdsLib
+library class. The driver links against this platform library, and the
+platform library can call Intel's BDS utility functions from
+"IntelFrameworkModulePkg/Library/GenericBdsLib".
+
+OVMF's PlatformBdsLib instance can be found in
+"OvmfPkg/Library/PlatformBdsLib". The main function where the BdsDxe driver
+enters the library is PlatformBdsPolicyBehavior(). We mention two OVMF
+particulars here.
+
+(1) OVMF is capable of loading kernel images directly from fw_cfg, matching
+ QEMU's -kernel, -initrd, and -append command line options. This feature is
+ useful for rapid, repeated Linux kernel testing, and is implemented in the
+ following call tree:
+
+ PlatformBdsPolicyBehavior() [OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c]
+ TryRunningQemuKernel() [OvmfPkg/Library/PlatformBdsLib/QemuKernel.c]
+ LoadLinux*() [OvmfPkg/Library/LoadLinuxLib/Linux.c]
+
+ OvmfPkg/Library/LoadLinuxLib ports the efilinux bootloader project into
+ OvmfPkg.
+
+(2) OVMF seeks to comply with the boot order specification passed down by QEMU
+ over fw_cfg.
+
+ (a) About Boot Modes
+
+ During the PEI phase, OVMF determines and stores the Boot Mode in the
+ PHIT HOB (already mentioned in "S3 (suspend to RAM and resume)"). The
+ boot mode is supposed to influence the rest of the system, for example it
+ distinguishes S3 resume (BOOT_ON_S3_RESUME) from a "normal" boot.
+
+ In general, "normal" boots can be further differentiated from each other;
+ for example for speed reasons. When the firmware can tell during PEI that
+ the chassis has not been opened since last power-up, then it might want
+ to save time by not connecting all devices and not enumerating all boot
+ options from scratch; it could just rely on the stored results of the
+ last enumeration. The matching BootMode value, to be set during PEI,
+ would be BOOT_ASSUMING_NO_CONFIGURATION_CHANGES.
+
+ OVMF only sets one of the following two boot modes, based on CMOS
+ contents:
+ - BOOT_ON_S3_RESUME,
+ - BOOT_WITH_FULL_CONFIGURATION.
+
+ For BOOT_ON_S3_RESUME, please refer to "S3 (suspend to RAM and resume)".
+ The other boot mode supported by OVMF, BOOT_WITH_FULL_CONFIGURATION, is
+ an appropriate "catch-all" for a virtual machine, where hardware can
+ easily change from boot to boot.
+
+ (b) Auto-generation of boot options
+
+ Accordingly, when not resuming from S3 sleep (*), OVMF always connects
+ all devices, and enumerates all bootable devices as new boot options
+ (non-volatile variables called Boot####).
+
+ (*) During S3 resume, DXE is not reached, hence BDS isn't either.
+
+ The auto-enumerated boot options are stored in the BootOrder non-volatile
+ variable after any preexistent options. (Boot options may exist before
+ auto-enumeration eg. because the user added them manually with the Boot
+ Maintenance Manager or the efibootmgr utility. They could also originate
+ from an earlier auto-enumeration.)
+
+ PlatformBdsPolicyBehavior() [OvmfPkg/.../BdsPlatform.c]
+ TryRunningQemuKernel() [OvmfPkg/.../QemuKernel.c]
+ BdsLibConnectAll() [IntelFrameworkModulePkg/.../BdsConnect.c]
+ BdsLibEnumerateAllBootOption() [IntelFrameworkModulePkg/.../BdsBoot.c]
+ BdsLibBuildOptionFromHandle() [IntelFrameworkModulePkg/.../BdsBoot.c]
+ BdsLibRegisterNewOption() [IntelFrameworkModulePkg/.../BdsMisc.c]
+ //
+ // Append the new option number to the original option order
+ //
+
+ (c) Relative UEFI device paths in boot options
+
+ The handling of relative ("short-form") UEFI device paths is best
+ demonstrated through an example, and by quoting the UEFI 2.4A
+ specification.
+
+ A short-form hard drive UEFI device path could be (displaying each device
+ path node on a separate line for readability):
+
+ HD(1,GPT,14DD1CC5-D576-4BBF-8858-BAF877C8DF61,0x800,0x64000)/
+ \EFI\fedora\shim.efi
+
+ This device path lacks prefix nodes (eg. hardware or messaging type
+ nodes) that would lead to the hard drive. During load option processing,
+ the above short-form or relative device path could be matched against the
+ following absolute device path:
+
+ PciRoot(0x0)/
+ Pci(0x4,0x0)/
+ HD(1,GPT,14DD1CC5-D576-4BBF-8858-BAF877C8DF61,0x800,0x64000)/
+ \EFI\fedora\shim.efi
+
+ The motivation for this type of device path matching / completion is to
+ allow the user to move around the hard drive (for example, to plug a
+ controller in a different PCI slot, or to expose the block device on a
+ different iSCSI path) and still enable the firmware to find the hard
+ drive.
+
+ The UEFI specification says,
+
+ 9.3.6 Media Device Path
+ 9.3.6.1 Hard Drive
+
+ [...] Section 3.1.2 defines special rules for processing the Hard
+ Drive Media Device Path. These special rules enable a disk's location
+ to change and still have the system boot from the disk. [...]
+
+ 3.1.2 Load Option Processing
+
+ [...] The boot manager must [...] support booting from a short-form
+ device path that starts with the first element being a hard drive
+ media device path [...]. The boot manager must use the GUID or
+ signature and partition number in the hard drive device path to match
+ it to a device in the system. If the drive supports the GPT
+ partitioning scheme the GUID in the hard drive media device path is
+ compared with the UniquePartitionGuid field of the GUID Partition
+ Entry [...]. If the drive supports the PC-AT MBR scheme the signature
+ in the hard drive media device path is compared with the
+ UniqueMBRSignature in the Legacy Master Boot Record [...]. If a
+ signature match is made, then the partition number must also be
+ matched. The hard drive device path can be appended to the matching
+ hardware device path and normal boot behavior can then be used. If
+ more than one device matches the hard drive device path, the boot
+ manager will pick one arbitrarily. Thus the operating system must
+ ensure the uniqueness of the signatures on hard drives to guarantee
+ deterministic boot behavior.
+
+ Edk2 implements and exposes the device path completion logic in the
+ already referenced "IntelFrameworkModulePkg/Library/GenericBdsLib"
+ library, in the BdsExpandPartitionPartialDevicePathToFull() function.
+
+ (d) Filtering and reordering the boot options based on fw_cfg
+
+ Once we have an "all-inclusive", partly preexistent, partly freshly
+ auto-generated boot option list from bullet (b), OVMF loads QEMU's
+ requested boot order from fw_cfg, and filters and reorders the list from
+ (b) with it:
+
+ PlatformBdsPolicyBehavior() [OvmfPkg/.../BdsPlatform.c]
+ TryRunningQemuKernel() [OvmfPkg/.../QemuKernel.c]
+ BdsLibConnectAll() [IntelFrameworkModulePkg/.../BdsConnect.c]
+ BdsLibEnumerateAllBootOption() [IntelFrameworkModulePkg/.../BdsBoot.c]
+ SetBootOrderFromQemu() [OvmfPkg/.../QemuBootOrder.c]
+
+ According to the (preferred) "-device ...,bootindex=N" and the (legacy)
+ '-boot order=drives' command line options, QEMU requests a boot order
+ from the firmware through the "bootorder" fw_cfg file. (For a bootindex
+ example, refer to the "Example qemu invocation" section.)
+
+ This fw_cfg file consists of OpenFirmware (OFW) device paths -- note: not
+ UEFI device paths! --, one per line. An example list is:
+
+ /pci@i0cf8/scsi@4/disk@0,0
+ /pci@i0cf8/ide@1,1/drive@1/disk@0
+ /pci@i0cf8/ethernet@3/ethernet-phy@0
+
+ OVMF filters and reorders the boot option list from bullet (b) with the
+ following nested loops algorithm:
+
+ new_uefi_order := <empty>
+ for each qemu_ofw_path in QEMU's OpenFirmware device path list:
+ qemu_uefi_path_prefix := translate(qemu_ofw_path)
+
+ for each boot_option in current_uefi_order:
+ full_boot_option := complete(boot_option)
+
+ if match(qemu_uefi_path_prefix, full_boot_option):
+ append(new_uefi_order, boot_option)
+ break
+
+ for each unmatched boot_option in current_uefi_order:
+ if survives(boot_option):
+ append(new_uefi_order, boot_option)
+
+ current_uefi_order := new_uefi_order
+
+ OVMF iterates over QEMU's OFW device paths in order, translates each to a
+ UEFI device path prefix, tries to match the translated prefix against the
+ UEFI boot options (which are completed from relative form to absolute
+ form for the purpose of prefix matching), and if there's a match, the
+ matching boot option is appended to the new boot order (which starts out
+ empty).
+
+ (We elaborate on the translate() function under bullet (e). The
+ complete() function has been explained in bullet (c).)
+
+ In addition, UEFI boot options that remain unmatched after filtering and
+ reordering are post-processed, and some of them "survive". Due to the
+ fact that OpenFirmware device paths have less expressive power than their
+ UEFI counterparts, some UEFI boot options are simply inexpressible (hence
+ unmatchable) by the nested loops algorithm.
+
+ An important example is the memory-mapped UEFI shell, whose UEFI device
+ path is inexpressible by QEMU's OFW device paths:
+
+ MemoryMapped(0xB,0x900000,0x10FFFFF)/
+ FvFile(7C04A583-9E3E-4F1C-AD65-E05268D0B4D1)
+
+ (Side remark: notice that the address range visible in the MemoryMapped()
+ node corresponds to DXEFV under "comprehensive memory map of OVMF"! In
+ addition, the FvFile() node's GUID originates from the FILE_GUID entry of
+ "ShellPkg/Application/Shell/Shell.inf".)
+
+ The UEFI shell can be booted by pressing ESC in OVMF on the TianoCore
+ splash screen, and navigating to Boot Manager | EFI Internal Shell. If
+ the "survival policy" was not implemented, the UEFI shell's boot option
+ would always be filtered out.
+
+ The current "survival policy" preserves all boot options that start with
+ neither PciRoot() nor HD().
+
+ (e) Translating QEMU's OpenFirmware device paths to UEFI device path
+ prefixes
+
+ In this section we list the (strictly heuristical) mappings currently
+ performed by OVMF.
+
+ The "prefix only" nature of the translation output is rooted minimally in
+ the fact that QEMU's OpenFirmware device paths cannot carry pathnames
+ within filesystems. There's no way to specify eg.
+
+ \EFI\fedora\shim.efi
+
+ in an OFW device path, therefore a UEFI device path translated from an
+ OFW device path can at best be a prefix (not a full match) of a UEFI
+ device path that ends with "\EFI\fedora\shim.efi".
+
+ - IDE disk, IDE CD-ROM:
+
+ OpenFirmware device path:
+
+ /pci@i0cf8/ide@1,1/drive@0/disk@0
+ ^ ^ ^ ^ ^
+ | | | | master or slave
+ | | | primary or secondary
+ | PCI slot & function holding IDE controller
+ PCI root at system bus port, PIO
+
+ UEFI device path prefix:
+
+ PciRoot(0x0)/Pci(0x1,0x1)/Ata(Primary,Master,0x0)
+ ^
+ fixed LUN
+
+ - Floppy disk:
+
+ OpenFirmware device path:
+
+ /pci@i0cf8/isa@1/fdc@03f0/floppy@0
+ ^ ^ ^ ^
+ | | | A: or B:
+ | | ISA controller io-port (hex)
+ | PCI slot holding ISA controller
+ PCI root at system bus port, PIO
+
+ UEFI device path prefix:
+
+ PciRoot(0x0)/Pci(0x1,0x0)/Floppy(0x0)
+ ^
+ ACPI UID (A: or B:)
+
+ - Virtio-block disk:
+
+ OpenFirmware device path:
+
+ /pci@i0cf8/scsi@6[,3]/disk@0,0
+ ^ ^ ^ ^ ^
+ | | | fixed
+ | | PCI function corresponding to disk (optional)
+ | PCI slot holding disk
+ PCI root at system bus port, PIO
+
+ UEFI device path prefixes (dependent on the presence of a nonzero PCI
+ function in the OFW device path):
+
+ PciRoot(0x0)/Pci(0x6,0x0)/HD(
+ PciRoot(0x0)/Pci(0x6,0x3)/HD(
+
+ - Virtio-scsi disk and virtio-scsi passthrough:
+
+ OpenFirmware device path:
+
+ /pci@i0cf8/scsi@7[,3]/channel@0/disk@2,3
+ ^ ^ ^ ^ ^
+ | | | | LUN
+ | | | target
+ | | channel (unused, fixed 0)
+ | PCI slot[, function] holding SCSI controller
+ PCI root at system bus port, PIO
+
+ UEFI device path prefixes (dependent on the presence of a nonzero PCI
+ function in the OFW device path):
+
+ PciRoot(0x0)/Pci(0x7,0x0)/Scsi(0x2,0x3)
+ PciRoot(0x0)/Pci(0x7,0x3)/Scsi(0x2,0x3)
+
+ - Emulated and passed-through (physical) network cards:
+
+ OpenFirmware device path:
+
+ /pci@i0cf8/ethernet@3[,2]
+ ^ ^
+ | PCI slot[, function] holding Ethernet card
+ PCI root at system bus port, PIO
+
+ UEFI device path prefixes (dependent on the presence of a nonzero PCI
+ function in the OFW device path):
+
+ PciRoot(0x0)/Pci(0x3,0x0)
+ PciRoot(0x0)/Pci(0x3,0x2)
+
+Virtio drivers
+..............
+
+UEFI abstracts various types of hardware resources into protocols, and allows
+firmware developers to implement those protocols in device drivers. The Virtio
+Specification defines various types of virtual hardware for virtual machines.
+Connecting the two specifications, OVMF provides UEFI drivers for QEMU's
+virtio-block, virtio-scsi, and virtio-net devices.
+
+The following diagram presents the protocol and driver stack related to Virtio
+devices in edk2 and OVMF. Each node in the graph identifies a protocol and/or
+the edk2 driver that produces it. Nodes on the top are more abstract.
+
+ EFI_BLOCK_IO_PROTOCOL EFI_SIMPLE_NETWORK_PROTOCOL
+ [OvmfPkg/VirtioBlkDxe] [OvmfPkg/VirtioNetDxe]
+ | |
+ | EFI_EXT_SCSI_PASS_THRU_PROTOCOL |
+ | [OvmfPkg/VirtioScsiDxe] |
+ | | |
+ +------------------------+--------------------------+
+ |
+ VIRTIO_DEVICE_PROTOCOL
+ |
+ +---------------------+---------------------+
+ | |
+ [OvmfPkg/VirtioPciDeviceDxe] [custom platform drivers]
+ | |
+ | |
+ EFI_PCI_IO_PROTOCOL [OvmfPkg/Library/VirtioMmioDeviceLib]
+ [MdeModulePkg/Bus/Pci/PciBusDxe] direct MMIO register access
+
+The top three drivers produce standard UEFI abstractions: the Block IO
+Protocol, the Extended SCSI Pass Thru Protocol, and the Simple Network
+Protocol, for virtio-block, virtio-scsi, and virtio-net devices, respectively.
+
+Comparing these device-specific virtio drivers to each other, we can determine:
+
+- They all conform to the UEFI Driver Model. This means that their entry point
+ functions don't immediately start to search for devices and to drive them,
+ they only register instances of the EFI_DRIVER_BINDING_PROTOCOL. The UEFI
+ Driver Model then enumerates devices and chains matching drivers
+ automatically.
+
+- They are as minimal as possible, while remaining correct (refer to source
+ code comments for details). For example, VirtioBlkDxe and VirtioScsiDxe both
+ support only one request in flight.
+
+ In theory, VirtioBlkDxe could implement EFI_BLOCK_IO2_PROTOCOL, which allows
+ queueing. Similarly, VirtioScsiDxe does not support the non-blocking mode of
+ EFI_EXT_SCSI_PASS_THRU_PROTOCOL.PassThru(). (Which is permitted by the UEFI
+ specification.) Both VirtioBlkDxe and VirtioScsiDxe delegate synchronous
+ request handling to "OvmfPkg/Library/VirtioLib". This limitation helps keep
+ the implementation simple, and testing thus far seems to imply satisfactory
+ performance, for a virtual boot firmware.
+
+ VirtioNetDxe cannot avoid queueing, because EFI_SIMPLE_NETWORK_PROTOCOL
+ requires it on the interface level. Consequently, VirtioNetDxe is
+ significantly more complex than VirtioBlkDxe and VirtioScsiDxe. Technical
+ notes are provided in "OvmfPkg/VirtioNetDxe/TechNotes.txt".
+
+- None of these drivers access hardware directly. Instead, the Virtio Device
+ Protocol (OvmfPkg/Include/Protocol/VirtioDevice.h) collects / extracts virtio
+ operations defined in the Virtio Specification, and these backend-independent
+ virtio device drivers go through the abstract VIRTIO_DEVICE_PROTOCOL.
+
+ IMPORTANT: the VIRTIO_DEVICE_PROTOCOL is not a standard UEFI protocol. It is
+ internal to edk2 and not described in the UEFI specification. It should only
+ be used by drivers and applications that live inside the edk2 source tree.
+
+Currently two providers exist for VIRTIO_DEVICE_PROTOCOL:
+
+- The first one is the "more traditional" virtio-pci backend, implemented by
+ OvmfPkg/VirtioPciDeviceDxe. This driver also complies with the UEFI Driver
+ Model. It consumes an instance of the EFI_PCI_IO_PROTOCOL, and, if the PCI
+ device/function under probing appears to be a virtio device, it produces a
+ Virtio Device Protocol instance for it. The driver translates abstract virtio
+ operations to PCI accesses.
+
+- The second provider, the virtio-mmio backend, is a library, not a driver,
+ living in OvmfPkg/Library/VirtioMmioDeviceLib. This library translates
+ abstract virtio operations to MMIO accesses.
+
+ The virtio-mmio backend is only a library -- rather than a standalone, UEFI
+ Driver Model-compliant driver -- because the type of resource it consumes, an
+ MMIO register block base address, is not enumerable.
+
+ In other words, while the PCI root bridge driver and the PCI bus driver
+ produce instances of EFI_PCI_IO_PROTOCOL automatically, thereby enabling the
+ UEFI Driver Model to probe devices and stack up drivers automatically, no
+ such enumeration exists for MMIO register blocks.
+
+ For this reason, VirtioMmioDeviceLib needs to be linked into thin, custom
+ platform drivers that dispose over this kind of information. As soon as a
+ driver knows about the MMIO register block base addresses, it can pass each
+ to the library, and then the VIRTIO_DEVICE_PROTOCOL will be instantiated
+ (assuming a valid virtio-mmio register block of course). From that point on
+ the UEFI Driver Model again takes care of the chaining.
+
+ Typically, such a custom driver does not conform to the UEFI Driver Model
+ (because that would presuppose auto-enumeration for MMIO register blocks).
+ Hence it has the following responsibilities:
+
+ - it shall behave as a "wrapper" UEFI driver around the library,
+
+ - it shall know virtio-mmio base addresses,
+
+ - in its entry point function, it shall create a new UEFI handle with an
+ instance of the EFI_DEVICE_PATH_PROTOCOL for each virtio-mmio device it
+ knows the base address for,
+
+ - it shall call VirtioMmioInstallDevice() on those handles, with the
+ corresponding base addresses.
+
+ OVMF itself does not employ VirtioMmioDeviceLib. However, the library is used
+ (or has been tested as Proof-of-Concept) in the following 64-bit and 32-bit
+ ARM emulator setups:
+
+ - in "RTSM_VE_FOUNDATIONV8_EFI.fd" and "FVP_AARCH64_EFI.fd", on ARM Holdings'
+ ARM(R) v8-A Foundation Model and ARM(R) AEMv8-A Base Platform FVP
+ emulators, respectively:
+
+ EFI_BLOCK_IO_PROTOCOL
+ [OvmfPkg/VirtioBlkDxe]
+ |
+ VIRTIO_DEVICE_PROTOCOL
+ [ArmPlatformPkg/ArmVExpressPkg/ArmVExpressDxe/ArmFvpDxe.inf]
+ |
+ [OvmfPkg/Library/VirtioMmioDeviceLib]
+ direct MMIO register access
+
+ - in "RTSM_VE_CORTEX-A15_EFI.fd" and "RTSM_VE_CORTEX-A15_MPCORE_EFI.fd", on
+ "qemu-system-arm -M vexpress-a15":
+
+ EFI_BLOCK_IO_PROTOCOL EFI_SIMPLE_NETWORK_PROTOCOL
+ [OvmfPkg/VirtioBlkDxe] [OvmfPkg/VirtioNetDxe]
+ | |
+ +------------------+---------------+
+ |
+ VIRTIO_DEVICE_PROTOCOL
+ [ArmPlatformPkg/ArmVExpressPkg/ArmVExpressDxe/ArmFvpDxe.inf]
+ |
+ [OvmfPkg/Library/VirtioMmioDeviceLib]
+ direct MMIO register access
+
+ In the above ARM / VirtioMmioDeviceLib configurations, VirtioBlkDxe was
+ tested with booting Linux distributions, while VirtioNetDxe was tested with
+ pinging public IPv4 addresses from the UEFI shell.
+
+Platform Driver
+...............
+
+Sometimes, elements of persistent firmware configuration are best exposed to
+the user in a friendly way. OVMF's platform driver (OvmfPkg/PlatformDxe)
+presents such settings on the "OVMF Platform Configuration" dialog:
+
+- Press ESC on the TianoCore splash screen,
+- Navigate to Device Manager | OVMF Platform Configuration.
+
+At the moment, OVMF's platform driver handles only one setting: the preferred
+graphics resolution. This is useful for two purposes:
+
+- Some UEFI shell commands, like DRIVERS and DEVICES, benefit from a wide
+ display. Using the MODE shell command, the user can switch to a larger text
+ resolution (limited by the graphics resolution), and see the command output
+ in a more easily consumable way.
+
+ [RHEL] The list of text modes available to the MODE command is also limited
+ by ConSplitterDxe (found under MdeModulePkg/Universal/Console).
+ ConSplitterDxe builds an intersection of text modes that are
+ simultaneously supported by all consoles that ConSplitterDxe
+ multiplexes console output to.
+
+ In practice, the strongest text mode restriction comes from
+ TerminalDxe, which provides console I/O on serial ports. TerminalDxe
+ has a very limited built-in list of text modes, heavily pruning the
+ intersection built by ConSplitterDxe, and made available to the MODE
+ command.
+
+ On the Red Hat Enterprise Linux 7.1 host, TerminalDxe's list of modes
+ has been extended with text resolutions that match the Spice QXL GPU's
+ common graphics resolutions. This way a "full screen" text mode should
+ always be available in the MODE command.
+
+- The other advantage of controlling the graphics resolution lies with UEFI
+ operating systems that don't (yet) have a native driver for QEMU's virtual
+ video cards -- eg. the Spice QXL GPU. Such OSes may choose to inherit the
+ properties of OVMF's EFI_GRAPHICS_OUTPUT_PROTOCOL (provided by
+ OvmfPkg/QemuVideoDxe, see later).
+
+ Although the display can be used at runtime in such cases, by direct
+ framebuffer access, its properties, for example, the resolution, cannot be
+ modified. The platform driver allows the user to select the preferred GOP
+ resolution, reboot, and let the guest OS inherit that preferred resolution.
+
+The platform driver has three access points: the "normal" driver entry point, a
+set of HII callbacks, and a GOP installation callback.
+
+(1) Driver entry point: the PlatformInit() function.
+
+ (a) First, this function loads any available settings, and makes them take
+ effect. For the preferred graphics resolution in particular, this means
+ setting the following PCDs:
+
+ gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution
+ gEfiMdeModulePkgTokenSpaceGuid.PcdVideoVerticalResolution
+
+ These PCDs influence the GraphicsConsoleDxe driver (located under
+ MdeModulePkg/Universal/Console), which switches to the preferred
+ graphics mode, and produces EFI_SIMPLE_TEXT_OUTPUT_PROTOCOLs on GOPs:
+
+ EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL
+ [MdeModulePkg/Universal/Console/GraphicsConsoleDxe]
+ |
+ EFI_GRAPHICS_OUTPUT_PROTOCOL
+ [OvmfPkg/QemuVideoDxe]
+ |
+ EFI_PCI_IO_PROTOCOL
+ [MdeModulePkg/Bus/Pci/PciBusDxe]
+
+ (b) Second, the driver entry point registers the user interface, including
+ HII callbacks.
+
+ (c) Third, the driver entry point registers a GOP installation callback.
+
+(2) HII callbacks and the user interface.
+
+ The Human Interface Infrastructure (HII) "is a set of protocols that allow
+ a UEFI driver to provide the ability to register user interface and
+ configuration content with the platform firmware".
+
+ OVMF's platform driver:
+
+ - provides a static, basic, visual form (PlatformForms.vfr), written in the
+ Visual Forms Representation language,
+
+ - includes a UCS-16 encoded message catalog (Platform.uni),
+
+ - includes source code that dynamically populates parts of the form, with
+ the help of MdeModulePkg/Library/UefiHiiLib -- this library simplifies
+ the handling of IFR (Internal Forms Representation) opcodes,
+
+ - processes form actions that the user takes (Callback() function),
+
+ - loads and saves platform configuration in a private, non-volatile
+ variable (ExtractConfig() and RouteConfig() functions).
+
+ The ExtractConfig() HII callback implements the following stack of
+ conversions, for loading configuration and presenting it to the user:
+
+ MultiConfigAltResp -- form engine / HII communication
+ ^
+ |
+ [BlockToConfig]
+ |
+ MAIN_FORM_STATE -- binary representation of form/widget
+ ^ state
+ |
+ [PlatformConfigToFormState]
+ |
+ PLATFORM_CONFIG -- accessible to DXE and UEFI drivers
+ ^
+ |
+ [PlatformConfigLoad]
+ |
+ UEFI non-volatile variable -- accessible to external utilities
+
+ The layers are very similar for the reverse direction, ie. when taking
+ input from the user, and saving the configuration (RouteConfig() HII
+ callback):
+
+ ConfigResp -- form engine / HII communication
+ |
+ [ConfigToBlock]
+ |
+ v
+ MAIN_FORM_STATE -- binary representation of form/widget
+ | state
+ [FormStateToPlatformConfig]
+ |
+ v
+ PLATFORM_CONFIG -- accessible to DXE and UEFI drivers
+ |
+ [PlatformConfigSave]
+ |
+ v
+ UEFI non-volatile variable -- accessible to external utilities
+
+(3) When the platform driver starts, a GOP may not be available yet. Thus the
+ driver entry point registers a callback (the GopInstalled() function) for
+ GOP installations.
+
+ When the first GOP is produced (usually by QemuVideoDxe, or potentially by
+ a third party video driver), PlatformDxe retrieves the list of graphics
+ modes the GOP supports, and dynamically populates the drop-down list of
+ available resolutions on the form. The GOP installation callback is then
+ removed.
+
+Video driver
+............
+
+OvmfPkg/QemuVideoDxe is OVMF's built-in video driver. We can divide its
+services in two parts: graphics output protocol (primary), and Int10h (VBE)
+shim (secondary).
+
+(1) QemuVideoDxe conforms to the UEFI Driver Model; it produces an instance of
+ the EFI_GRAPHICS_OUTPUT_PROTOCOL (GOP) on each PCI display that it supports
+ and is connected to:
+
+ EFI_GRAPHICS_OUTPUT_PROTOCOL
+ [OvmfPkg/QemuVideoDxe]
+ |
+ EFI_PCI_IO_PROTOCOL
+ [MdeModulePkg/Bus/Pci/PciBusDxe]
+
+ It supports the following QEMU video cards:
+
+ - Cirrus 5430 ("-device cirrus-vga"),
+ - Standard VGA ("-device VGA"),
+ - QXL VGA ("-device qxl-vga", "-device qxl").
+
+ For Cirrus the following resolutions and color depths are available:
+ 640x480x32, 800x600x32, 1024x768x24. On stdvga and QXL a long list of
+ resolutions is available. The list is filtered against the frame buffer
+ size during initialization.
+
+ The size of the QXL VGA compatibility framebuffer can be changed with the
+
+ -device qxl-vga,vgamem_mb=$NUM_MB
+
+ QEMU option. If $NUM_MB exceeds 32, then the following is necessary
+ instead:
+
+ -device qxl-vga,vgamem_mb=$NUM_MB,ram_size_mb=$((NUM_MB*2))
+
+ because the compatibility framebuffer can't cover more than half of PCI BAR
+ #0. The latter defaults to 64MB in size, and is controlled by the
+ "ram_size_mb" property.
+
+(2) When QemuVideoDxe binds the first Standard VGA or QXL VGA device, and there
+ is no real VGA BIOS present in the C to F segments (which could originate
+ from a legacy PCI option ROM -- refer to "Compatibility Support Module
+ (CSM)"), then QemuVideoDxe installs a minimal, "fake" VGA BIOS -- an Int10h
+ (VBE) "shim".
+
+ The shim is implemented in 16-bit assembly in
+ "OvmfPkg/QemuVideoDxe/VbeShim.asm". The "VbeShim.sh" shell script assembles
+ it and formats it as a C array ("VbeShim.h") with the help of the "nasm"
+ utility. The driver's InstallVbeShim() function copies the shim in place
+ (the C segment), and fills in the VBE Info and VBE Mode Info structures.
+ The real-mode 10h interrupt vector is pointed to the shim's handler.
+
+ The shim is (correctly) irrelevant and invisible for all UEFI operating
+ systems we know about -- except Windows Server 2008 R2 and other Windows
+ operating systems in that family.
+
+ Namely, the Windows 2008 R2 SP1 (and Windows 7) UEFI guest's default video
+ driver dereferences the real mode Int10h vector, loads the pointed-to
+ handler code, and executes what it thinks to be VGA BIOS services in an
+ internal real-mode emulator. Consequently, video mode switching used not to
+ work in Windows 2008 R2 SP1 when it ran on the "pure UEFI" build of OVMF,
+ making the guest uninstallable. Hence the (otherwise optional, non-default)
+ Compatibility Support Module (CSM) ended up a requirement for running such
+ guests.
+
+ The hard dependency on the sophisticated SeaBIOS CSM and the complex
+ supporting edk2 infrastructure, for enabling this family of guests, was
+ considered suboptimal by some members of the upstream community,
+
+ [RHEL] and was certainly considered a serious maintenance disadvantage for
+ Red Hat Enterprise Linux 7.1 hosts.
+
+ Thus, the shim has been collaboratively developed for the Windows 7 /
+ Windows Server 2008 R2 family. The shim provides a real stdvga / QXL
+ implementation for the few services that are in fact necessary for the
+ Windows 2008 R2 SP1 (and Windows 7) UEFI guest, plus some "fakes" that the
+ guest invokes but whose effect is not important. The only supported mode is
+ 1024x768x32, which is enough to install the guest and then upgrade its
+ video driver to the full-featured QXL XDDM one.
+
+ The C segment is not present in the UEFI memory map prepared by OVMF.
+ Memory space that would cover it is never added (either in PEI, in the form
+ of memory resource descriptor HOBs, or in DXE, via gDS->AddMemorySpace()).
+ This way the handler body is invisible to all other UEFI guests, and the
+ rest of edk2.
+
+ The Int10h real-mode IVT entry is covered with a Boot Services Code page,
+ making that too inaccessible to the rest of edk2. Due to the allocation
+ type, UEFI guest OSes different from the Windows Server 2008 family can
+ reclaim the page at zero. (The Windows 2008 family accesses that page
+ regardless of the allocation type.)
+
+Afterword
+---------
+
+After the bulk of this document was written in July 2014, OVMF development has
+not stopped. To name two significant code contributions from the community: in
+January 2015, OVMF runs on the "q35" machine type of QEMU, and it features a
+driver for Xen paravirtual block devices (and another for the underlying Xen
+bus).
+
+Furthermore, a dedicated virtualization platform has been contributed to
+ArmPlatformPkg that plays a role parallel to OvmfPkg's. It targets the "virt"
+machine type of qemu-system-arm and qemu-system-aarch64. Parts of OvmfPkg are
+being refactored and modularized so they can be reused in
+"ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc".
diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec
new file mode 100644
index 0000000..a9c0d90
--- /dev/null
+++ b/SPECS/edk2.spec
@@ -0,0 +1,1303 @@
+ExclusiveArch: x86_64 aarch64
+
+%define GITDATE 20210527
+%define GITCOMMIT e1999b264f1f
+%define TOOLCHAIN GCC5
+%define OPENSSL_VER 1.1.1k
+
+%define qosb_testing 0
+%ifarch x86_64
+%define qosb_testing 1
+%endif
+
+%define qemu_package qemu-kvm-core >= 2.12.0-89
+%define qemu_binary /usr/libexec/qemu-kvm
+
+%define build_ovmf 0
+%define build_aarch64 0
+%ifarch x86_64
+ %define build_ovmf 1
+%endif
+%ifarch aarch64
+ %define build_aarch64 1
+%endif
+
+Name: edk2
+Version: %{GITDATE}git%{GITCOMMIT}
+Release: 6%{?dist}
+Summary: UEFI firmware for 64-bit virtual machines
+License: BSD-2-Clause-Patent and OpenSSL and MIT
+URL: http://www.tianocore.org
+
+# The source tarball is created using following commands:
+# COMMIT=e1999b264f1f
+# git archive --format=tar --prefix=edk2-$COMMIT/ $COMMIT \
+# | xz -9ev >/tmp/edk2-$COMMIT.tar.xz
+Source0: http://batcave.lab.eng.brq.redhat.com/www/edk2-%{GITCOMMIT}.tar.xz
+Source1: ovmf-whitepaper-c770f8c.txt
+Source2: openssl-rhel-bdd048e929dcfcf2f046d74e812e0e3d5fc58504.tar.xz
+Source3: ovmf-vars-generator
+Source4: LICENSE.qosb
+Source5: RedHatSecureBootPkKek1.pem
+
+Source10: edk2-aarch64-verbose.json
+Source11: edk2-aarch64.json
+Source12: edk2-ovmf-sb.json
+Source13: edk2-ovmf.json
+Source14: edk2-ovmf-cc.json
+
+Patch0008: 0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch
+Patch0009: 0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch
+Patch0010: 0010-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
+Patch0011: 0011-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
+Patch0012: 0012-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
+Patch0013: 0013-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
+Patch0014: 0014-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
+Patch0015: 0015-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
+Patch0016: 0016-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
+Patch0017: 0017-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
+Patch0018: 0018-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
+Patch0019: 0019-ArmVirtPkg-set-early-hello-message-RH-only.patch
+Patch0020: 0020-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
+Patch0021: 0021-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch
+Patch0022: 0022-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch
+Patch0023: 0023-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch
+Patch0024: 0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
+Patch0025: 0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch
+Patch0026: 0026-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
+Patch0027: 0027-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
+# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
+Patch28: edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch
+# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
+Patch29: edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch
+# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
+Patch30: edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch
+# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
+Patch31: edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch
+# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
+Patch32: edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch
+# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
+Patch33: edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch
+# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
+Patch34: edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch
+# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
+Patch35: edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch
+# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
+Patch36: edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch
+# For bz#1961100 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]
+Patch37: edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch38: edk2-OvmfPkg-Remove-PrintDxe-RHEL-only.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch39: edk2-OvmfPkg-Remove-EbcDxe-RHEL-only.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch40: edk2-ArmVirtPkg-Remove-EbcDxe-RHEL-only.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch41: edk2-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch42: edk2-OvmfPkg-Remove-QemuRamfbDxe-display-device-driver-RH.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch43: edk2-ArmVirtPkg-Remove-QemuRamfbDxe-display-device-driver.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch44: edk2-OvmfPkg-Remove-NvmExpressDxe-device-driver-RHEL-only.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch45: edk2-ArmVirtPkg-Remove-NvmExpressDxe-device-driver-RHEL-o.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch46: edk2-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch47: edk2-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch48: edk2-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch49: edk2-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch50: edk2-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch51: edk2-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch52: edk2-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch53: edk2-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch54: edk2-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch55: edk2-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch
+# For bz#1967747 - edk2: review features and drivers shipped in RHEL
+Patch56: edk2-OvmfPkg-Remove-Xen-Drivers-RHEL-only.patch
+# For bz#1988760 - edk2 does not ignore PMBR protective record BootIndicator as required by UEFI spec
+Patch57: edk2-MdeModulePkg-PartitionDxe-Ignore-PMBR-BootIndicator-.patch
+
+
+# python3-devel and libuuid-devel are required for building tools.
+# python3-devel is also needed for varstore template generation and
+# verification with "ovmf-vars-generator".
+BuildRequires: python3-devel
+BuildRequires: libuuid-devel
+BuildRequires: /usr/bin/iasl
+BuildRequires: binutils gcc git gcc-c++ make
+
+%if %{build_ovmf}
+# Only OVMF includes 80x86 assembly files (*.nasm*).
+BuildRequires: nasm
+
+# Only OVMF includes the Secure Boot feature, for which we need to separate out
+# the UEFI shell.
+BuildRequires: dosfstools
+BuildRequires: mtools
+BuildRequires: xorriso
+
+# For generating the variable store template with the default certificates
+# enrolled, we need the qemu-kvm executable.
+BuildRequires: %{qemu_package}
+
+%if %{qosb_testing}
+# For verifying SB enablement in the above variable store template, we need a
+# guest kernel that prints "Secure boot enabled".
+BuildRequires: kernel-core >= 4.18.0-161
+BuildRequires: rpmdevtools
+%endif
+
+# endif build_ovmf
+%endif
+
+
+%package ovmf
+Summary: UEFI firmware for x86_64 virtual machines
+BuildArch: noarch
+Provides: OVMF = %{version}-%{release}
+Obsoletes: OVMF < 20180508-100.gitee3198e672e2.el7
+
+# OVMF includes the Secure Boot and IPv6 features; it has a builtin OpenSSL
+# library.
+Provides: bundled(openssl) = %{OPENSSL_VER}
+License: BSD-2-Clause-Patent and OpenSSL
+
+# URL taken from the Maintainers.txt file.
+URL: http://www.tianocore.org/ovmf/
+
+%description ovmf
+OVMF (Open Virtual Machine Firmware) is a project to enable UEFI support for
+Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU
+and KVM.
+
+
+%package aarch64
+Summary: UEFI firmware for aarch64 virtual machines
+BuildArch: noarch
+Provides: AAVMF = %{version}-%{release}
+Obsoletes: AAVMF < 20180508-100.gitee3198e672e2.el7
+
+# No Secure Boot for AAVMF yet, but we include OpenSSL for the IPv6 stack.
+Provides: bundled(openssl) = %{OPENSSL_VER}
+License: BSD-2-Clause-Patent and OpenSSL
+
+# URL taken from the Maintainers.txt file.
+URL: https://github.com/tianocore/tianocore.github.io/wiki/ArmVirtPkg
+
+%description aarch64
+AAVMF (ARM Architecture Virtual Machine Firmware) is an EFI Development Kit II
+platform that enables UEFI support for QEMU/KVM ARM Virtual Machines. This
+package contains a 64-bit build.
+
+
+%package tools
+Summary: EFI Development Kit II Tools
+License: BSD-2-Clause-Patent
+URL: https://github.com/tianocore/tianocore.github.io/wiki/BaseTools
+%description tools
+This package provides tools that are needed to
+build EFI executables and ROMs using the GNU tools.
+
+%package tools-doc
+Summary: Documentation for EFI Development Kit II Tools
+BuildArch: noarch
+License: BSD-2-Clause-Patent
+URL: https://github.com/tianocore/tianocore.github.io/wiki/BaseTools
+%description tools-doc
+This package documents the tools that are needed to
+build EFI executables and ROMs using the GNU tools.
+
+%description
+EDK II is a modern, feature-rich, cross-platform firmware development
+environment for the UEFI and PI specifications. This package contains sample
+64-bit UEFI firmware builds for QEMU and KVM.
+
+%prep
+# We needs some special git config options that %%autosetup won't give us.
+# We init the git dir ourselves, then tell %%autosetup not to blow it away.
+%setup -q -n edk2-%{GITCOMMIT}
+git init -q
+git config core.whitespace cr-at-eol
+git config am.keepcr true
+# -T is passed to %%setup to not re-extract the archive
+# -D is passed to %%setup to not delete the existing archive dir
+%autosetup -T -D -n edk2-%{GITCOMMIT} -S git_am
+
+cp -a -- %{SOURCE1} %{SOURCE3} .
+cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} .
+tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
+
+# Format the Red Hat-issued certificate that is to be enrolled as both Platform
+# Key and first Key Exchange Key, as an SMBIOS OEM String. This means stripping
+# the PEM header and footer, and prepending the textual representation of the
+# GUID that identifies this particular OEM String to "EnrollDefaultKeys.efi",
+# plus the separator ":". For details, see
+# <https://bugzilla.tianocore.org/show_bug.cgi?id=1747> comments 2, 7, 14.
+sed \
+ -e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
+ -e '/^-----END CERTIFICATE-----$/d' \
+ %{SOURCE5} \
+ > PkKek1.oemstr
+
+# Done by %setup, but we do not use it for the auxiliary tarballs
+chmod -Rf a+rX,u+w,g-w,o-w .
+
+%build
+export PYTHON_COMMAND=%{__python3}
+source ./edksetup.sh
+%make_build -C "$EDK_TOOLS_PATH" \
+ EXTRA_OPTFLAGS="%{optflags}" \
+ EXTRA_LDFLAGS="%{__global_ldflags}"
+
+SMP_MFLAGS="%{?_smp_mflags}"
+if [[ x"$SMP_MFLAGS" = x-j* ]]; then
+ CC_FLAGS="$CC_FLAGS -n ${SMP_MFLAGS#-j}"
+elif [ -n "%{?jobs}" ]; then
+ CC_FLAGS="$CC_FLAGS -n %{?jobs}"
+fi
+
+CC_FLAGS="$CC_FLAGS --cmd-len=65536 -t %{TOOLCHAIN} -b DEBUG --hash"
+CC_FLAGS="$CC_FLAGS -D NETWORK_IP6_ENABLE"
+CC_FLAGS="$CC_FLAGS -D NETWORK_HTTP_BOOT_ENABLE -D NETWORK_TLS_ENABLE"
+CC_FLAGS="$CC_FLAGS -D TPM_ENABLE"
+
+OVMF_FLAGS="${CC_FLAGS}"
+OVMF_FLAGS="${OVMF_FLAGS} -D FD_SIZE_4MB"
+OVMF_FLAGS="${OVMF_FLAGS} -D PVSCSI_ENABLE=FALSE -D MPT_SCSI_ENABLE=FALSE"
+
+OVMF_SB_FLAGS="${OVMF_FLAGS}"
+OVMF_SB_FLAGS="${OVMF_SB_FLAGS} -D SECURE_BOOT_ENABLE"
+OVMF_SB_FLAGS="${OVMF_SB_FLAGS} -D SMM_REQUIRE"
+OVMF_SB_FLAGS="${OVMF_SB_FLAGS} -D EXCLUDE_SHELL_FROM_FD"
+
+
+build_iso() {
+ dir="$1"
+ UEFI_SHELL_BINARY=${dir}/Shell.efi
+ ENROLLER_BINARY=${dir}/EnrollDefaultKeys.efi
+ UEFI_SHELL_IMAGE=uefi_shell.img
+ ISO_IMAGE=${dir}/UefiShell.iso
+
+ UEFI_SHELL_BINARY_BNAME=$(basename -- "$UEFI_SHELL_BINARY")
+ UEFI_SHELL_SIZE=$(stat --format=%s -- "$UEFI_SHELL_BINARY")
+ ENROLLER_SIZE=$(stat --format=%s -- "$ENROLLER_BINARY")
+
+ # add 1MB then 10% for metadata
+ UEFI_SHELL_IMAGE_KB=$((
+ (UEFI_SHELL_SIZE + ENROLLER_SIZE + 1 * 1024 * 1024) * 11 / 10 / 1024
+ ))
+
+ # create non-partitioned FAT image
+ rm -f -- "$UEFI_SHELL_IMAGE"
+ mkdosfs -C "$UEFI_SHELL_IMAGE" -n UEFI_SHELL -- "$UEFI_SHELL_IMAGE_KB"
+
+ # copy the shell binary into the FAT image
+ export MTOOLS_SKIP_CHECK=1
+ mmd -i "$UEFI_SHELL_IMAGE" ::efi
+ mmd -i "$UEFI_SHELL_IMAGE" ::efi/boot
+ mcopy -i "$UEFI_SHELL_IMAGE" "$UEFI_SHELL_BINARY" ::efi/boot/bootx64.efi
+ mcopy -i "$UEFI_SHELL_IMAGE" "$ENROLLER_BINARY" ::
+ mdir -i "$UEFI_SHELL_IMAGE" -/ ::
+
+ # build ISO with FAT image file as El Torito EFI boot image
+ mkisofs -input-charset ASCII -J -rational-rock \
+ -e "$UEFI_SHELL_IMAGE" -no-emul-boot \
+ -o "$ISO_IMAGE" "$UEFI_SHELL_IMAGE"
+}
+
+
+%if %{build_ovmf}
+# Build with neither SB nor SMM; include UEFI shell.
+build ${OVMF_FLAGS} -a X64 \
+ -p OvmfPkg/OvmfPkgX64.dsc
+
+# Build with SB and SMM; exclude UEFI shell.
+build ${OVMF_SB_FLAGS} -a IA32 -a X64 \
+ -p OvmfPkg/OvmfPkgIa32X64.dsc
+
+# Sanity check: the varstore templates must be identical.
+cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
+ Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd
+
+# Prepare an ISO image that boots the UEFI shell.
+build_iso Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64
+
+# Enroll the default certificates in a separate variable store template.
+%{__python3} ovmf-vars-generator --verbose --verbose \
+ --qemu-binary %{qemu_binary} \
+ --ovmf-binary Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \
+ --ovmf-template-vars Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
+ --uefi-shell-iso Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/UefiShell.iso \
+ --oem-string "$(< PkKek1.oemstr)" \
+ --skip-testing \
+ Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.secboot.fd
+
+# endif build_ovmf
+%endif
+
+%if %{build_aarch64}
+# Build with a verbose debug mask first, and stash the binary.
+build ${CC_FLAGS} -a AARCH64 \
+ -p ArmVirtPkg/ArmVirtQemu.dsc \
+ -D DEBUG_PRINT_ERROR_LEVEL=0x8040004F
+cp -a Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \
+ Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.verbose.fd
+
+# Rebuild with a silent (errors only) debug mask.
+build ${CC_FLAGS} -a AARCH64 \
+ -p ArmVirtPkg/ArmVirtQemu.dsc \
+ -D DEBUG_PRINT_ERROR_LEVEL=0x80000000
+# endif build_aarch64
+%endif
+
+
+%install
+
+cp -a OvmfPkg/License.txt License.OvmfPkg.txt
+cp -a CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl
+mkdir -p %{buildroot}%{_datadir}/qemu/firmware
+
+# install the tools
+mkdir -p %{buildroot}%{_bindir} \
+ %{buildroot}%{_datadir}/%{name}/Conf \
+ %{buildroot}%{_datadir}/%{name}/Scripts
+install BaseTools/Source/C/bin/* \
+ %{buildroot}%{_bindir}
+install BaseTools/BinWrappers/PosixLike/LzmaF86Compress \
+ %{buildroot}%{_bindir}
+install BaseTools/BuildEnv \
+ %{buildroot}%{_datadir}/%{name}
+install BaseTools/Conf/*.template \
+ %{buildroot}%{_datadir}/%{name}/Conf
+install BaseTools/Scripts/GccBase.lds \
+ %{buildroot}%{_datadir}/%{name}/Scripts
+
+
+%if %{build_ovmf}
+mkdir -p \
+ %{buildroot}%{_datadir}/OVMF \
+ %{buildroot}%{_datadir}/%{name}/ovmf
+
+install -m 0644 Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \
+ %{buildroot}%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd
+install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \
+ %{buildroot}%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd
+
+install -m 0644 Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
+ %{buildroot}%{_datadir}/%{name}/ovmf/OVMF_VARS.fd
+install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.secboot.fd \
+ %{buildroot}%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd
+install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/UefiShell.iso \
+ %{buildroot}%{_datadir}/%{name}/ovmf/UefiShell.iso
+
+ln -s ../%{name}/ovmf/OVMF_CODE.secboot.fd %{buildroot}%{_datadir}/OVMF/
+ln -s ../%{name}/ovmf/OVMF_VARS.fd %{buildroot}%{_datadir}/OVMF/
+ln -s ../%{name}/ovmf/OVMF_VARS.secboot.fd %{buildroot}%{_datadir}/OVMF/
+ln -s ../%{name}/ovmf/UefiShell.iso %{buildroot}%{_datadir}/OVMF/
+
+install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/Shell.efi \
+ %{buildroot}%{_datadir}/%{name}/ovmf/Shell.efi
+install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/EnrollDefaultKeys.efi \
+ %{buildroot}%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi
+
+install -m 0644 edk2-ovmf-sb.json \
+ %{buildroot}%{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json
+install -m 0644 edk2-ovmf.json \
+ %{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf.json
+install -m 0644 edk2-ovmf-cc.json \
+ %{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json
+
+# endif build_ovmf
+%endif
+
+%if %{build_aarch64}
+mkdir -p \
+ %{buildroot}%{_datadir}/AAVMF \
+ %{buildroot}%{_datadir}/%{name}/aarch64
+
+# Pad and install the verbose binary.
+cat Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.verbose.fd \
+ /dev/zero \
+| head -c 64m \
+ > %{buildroot}%{_datadir}/%{name}/aarch64/QEMU_EFI-pflash.raw
+
+# Pad and install the silent (default) binary.
+cat Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \
+ /dev/zero \
+| head -c 64m \
+ > %{buildroot}%{_datadir}/%{name}/aarch64/QEMU_EFI-silent-pflash.raw
+
+# Create varstore template.
+cat Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_VARS.fd \
+ /dev/zero \
+| head -c 64m \
+ > %{buildroot}%{_datadir}/%{name}/aarch64/vars-template-pflash.raw
+
+ln -s ../%{name}/aarch64/QEMU_EFI-pflash.raw \
+ %{buildroot}%{_datadir}/AAVMF/AAVMF_CODE.verbose.fd
+ln -s ../%{name}/aarch64/QEMU_EFI-silent-pflash.raw \
+ %{buildroot}%{_datadir}/AAVMF/AAVMF_CODE.fd
+ln -s ../%{name}/aarch64/vars-template-pflash.raw \
+ %{buildroot}%{_datadir}/AAVMF/AAVMF_VARS.fd
+
+chmod 0644 -- %{buildroot}%{_datadir}/AAVMF/AAVMF_*.fd
+
+install -m 0644 Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.verbose.fd \
+ %{buildroot}%{_datadir}/%{name}/aarch64/QEMU_EFI.fd
+install -m 0644 Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \
+ %{buildroot}%{_datadir}/%{name}/aarch64/QEMU_EFI.silent.fd
+install -m 0644 Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_VARS.fd \
+ %{buildroot}%{_datadir}/%{name}/aarch64/QEMU_VARS.fd
+
+install -m 0644 edk2-aarch64.json \
+ %{buildroot}%{_datadir}/qemu/firmware/60-edk2-aarch64.json
+install -m 0644 edk2-aarch64-verbose.json \
+ %{buildroot}%{_datadir}/qemu/firmware/70-edk2-aarch64-verbose.json
+# endif build_aarch64
+%endif
+
+
+%check
+
+%if %{qosb_testing}
+# Of the installed host kernels, boot the one with the highest Version-Release
+# under OVMF, and check if it prints "Secure boot enabled".
+KERNEL_PKG=$(rpm -q kernel-core | rpmdev-sort | tail -n 1)
+KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$')
+
+%{__python3} ovmf-vars-generator --verbose --verbose \
+ --qemu-binary %{qemu_binary} \
+ --ovmf-binary Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \
+ --ovmf-template-vars Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
+ --uefi-shell-iso Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/UefiShell.iso \
+ --kernel-path $KERNEL_IMG \
+ --skip-enrollment \
+ --no-download \
+ Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.secboot.fd
+
+# endif qosb_testing
+%endif
+
+
+%global common_files \
+ %%license License.txt License.OvmfPkg.txt License-History.txt LICENSE.openssl \
+ %%dir %%{_datadir}/%%{name}/ \
+ %%dir %%{_datadir}/qemu \
+ %%dir %%{_datadir}/qemu/firmware
+
+%if %{build_ovmf}
+%files ovmf
+%common_files
+%doc OvmfPkg/README
+%doc ovmf-whitepaper-c770f8c.txt
+%dir %{_datadir}/OVMF/
+%dir %{_datadir}/%{name}/ovmf/
+%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd
+%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd
+%{_datadir}/%{name}/ovmf/OVMF_VARS.fd
+%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd
+%{_datadir}/%{name}/ovmf/UefiShell.iso
+%{_datadir}/OVMF/OVMF_CODE.secboot.fd
+%{_datadir}/OVMF/OVMF_VARS.fd
+%{_datadir}/OVMF/OVMF_VARS.secboot.fd
+%{_datadir}/OVMF/UefiShell.iso
+%{_datadir}/%{name}/ovmf/Shell.efi
+%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi
+%{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json
+%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json
+%{_datadir}/qemu/firmware/50-edk2-ovmf.json
+# endif build_ovmf
+%endif
+
+%if %{build_aarch64}
+%files aarch64
+%common_files
+%dir %{_datadir}/AAVMF/
+%dir %{_datadir}/%{name}/aarch64/
+%{_datadir}/%{name}/aarch64/QEMU_EFI-pflash.raw
+%{_datadir}/%{name}/aarch64/QEMU_EFI-silent-pflash.raw
+%{_datadir}/%{name}/aarch64/vars-template-pflash.raw
+%{_datadir}/AAVMF/AAVMF_CODE.verbose.fd
+%{_datadir}/AAVMF/AAVMF_CODE.fd
+%{_datadir}/AAVMF/AAVMF_VARS.fd
+%{_datadir}/%{name}/aarch64/QEMU_EFI.fd
+%{_datadir}/%{name}/aarch64/QEMU_EFI.silent.fd
+%{_datadir}/%{name}/aarch64/QEMU_VARS.fd
+%{_datadir}/qemu/firmware/60-edk2-aarch64.json
+%{_datadir}/qemu/firmware/70-edk2-aarch64-verbose.json
+# endif build_aarch64
+%endif
+
+%files tools
+%license License.txt
+%license License-History.txt
+%{_bindir}/DevicePath
+%{_bindir}/EfiRom
+%{_bindir}/GenCrc32
+%{_bindir}/GenFfs
+%{_bindir}/GenFv
+%{_bindir}/GenFw
+%{_bindir}/GenSec
+%{_bindir}/LzmaCompress
+%{_bindir}/LzmaF86Compress
+%{_bindir}/TianoCompress
+%{_bindir}/VfrCompile
+%{_bindir}/VolInfo
+%dir %{_datadir}/%{name}
+%{_datadir}/%{name}/BuildEnv
+%{_datadir}/%{name}/Conf
+%{_datadir}/%{name}/Scripts
+
+%files tools-doc
+%doc BaseTools/UserManuals/*.rtf
+
+
+%changelog
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 20210527gite1999b264f1f-6
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+ Related: rhbz#1991688
+
+* Fri Aug 06 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-5
+- edk2-MdeModulePkg-PartitionDxe-Ignore-PMBR-BootIndicator-.patch [bz#1988760]
+- Resolves: bz#1988760
+ (edk2 does not ignore PMBR protective record BootIndicator as required by UEFI spec)
+
+* Fri Jul 30 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-4
+- edk2-spec-remove-Group-and-defattr.patch [bz#1983789]
+- edk2-spec-Add-BuildRequires-make.patch [bz#1983789]
+- edk2-spec-don-t-conditionalize-package-definitions.patch [bz#1983789]
+- edk2-spec-Use-autosetup-with-our-required-git-config-opti.patch [bz#1983789]
+- edk2-spec-Replace-ifarch-else-conditionals-with-build_XXX.patch [bz#1983789]
+- edk2-spec-Move-D-TPM_ENABLE-to-common-CC_FLAGS.patch [bz#1983789]
+- edk2-spec-Add-qemu_package-and-qemu_binary.patch [bz#1983789]
+- edk2-spec-Remove-extra-true-at-end-of-check.patch [bz#1983789]
+- edk2-spec-Move-check-to-between-install-and-files.patch [bz#1983789]
+- edk2-spec-Add-qosb_testing-macro.patch [bz#1983789]
+- edk2-spec-Split-out-build_iso-function.patch [bz#1983789]
+- edk2-spec-Replace-RPM_BUILD_ROOT-with-buildroot.patch [bz#1983789]
+- edk2-spec-Use-make_build-macro.patch [bz#1983789]
+- edk2-spec-Factor-out-OVMF_FLAGS-and-OVMF_SB_FLAGS.patch [bz#1983789]
+- edk2-spec-Don-t-put-build-output-in-the-top-directory.patch [bz#1983789]
+- edk2-spec-Centralize-non-firmware-install-files-at-the-to.patch [bz#1983789]
+- Resolves: bz#1983789
+ (Make spec easier to share with Fedora)
+
+* Mon Jul 12 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-3
+- edk2-OvmfPkg-Remove-PrintDxe-RHEL-only.patch [bz#1967747]
+- edk2-OvmfPkg-Remove-EbcDxe-RHEL-only.patch [bz#1967747]
+- edk2-ArmVirtPkg-Remove-EbcDxe-RHEL-only.patch [bz#1967747]
+- edk2-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch [bz#1967747]
+- edk2-OvmfPkg-Remove-QemuRamfbDxe-display-device-driver-RH.patch [bz#1967747]
+- edk2-ArmVirtPkg-Remove-QemuRamfbDxe-display-device-driver.patch [bz#1967747]
+- edk2-OvmfPkg-Remove-NvmExpressDxe-device-driver-RHEL-only.patch [bz#1967747]
+- edk2-ArmVirtPkg-Remove-NvmExpressDxe-device-driver-RHEL-o.patch [bz#1967747]
+- edk2-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch [bz#1967747]
+- edk2-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch [bz#1967747]
+- edk2-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch [bz#1967747]
+- edk2-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch [bz#1967747]
+- edk2-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch [bz#1967747]
+- edk2-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch [bz#1967747]
+- edk2-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch [bz#1967747]
+- edk2-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch [bz#1967747]
+- edk2-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch [bz#1967747]
+- edk2-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch [bz#1967747]
+- edk2-OvmfPkg-Remove-Xen-Drivers-RHEL-only.patch [bz#1967747]
+- Resolves: bz#1967747
+ (edk2: review features and drivers shipped in RHEL)
+
+* Fri Jul 02 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-2
+- edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch [bz#1961100]
+- edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch [bz#1961100]
+- edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch [bz#1961100]
+- edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch [bz#1961100]
+- edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch [bz#1961100]
+- edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch [bz#1961100]
+- edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch [bz#1961100]
+- edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch [bz#1961100]
+- edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch [bz#1961100]
+- edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch [bz#1961100]
+- edk2-redhat-build-UefiShell.iso-with-xorriso-rather-than-.patch [bz#1971840]
+- Resolves: bz#1961100
+ (edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0])
+- Resolves: bz#1971840
+ (Please replace genisoimage with xorriso)
+
+* Wed Jun 23 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-1
+- Rebase to edk2-stable202105 [bz#1938254]
+- Sync edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch from RHEL-8
+- Sync edk2-redhat-add-OVMF-binary-that-will-support-SEV-ES.patch from RHEL-8
+- Resolves: bz#1938254
+ ((edk2-rebase-rhel-9.0) - rebase edk2 to edk2-stable202105 for RHEL-9-Beta)
+
+* Fri Jan 08 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-1.el9
+- Include fixes to build in RHEL 9 environment (bz#1906468)
+- Resolves: bz#1906468
+ ([RHEL9][FTBFS] edk2 FTBFS on Red Hat Enterprise Linux 9.0.0 Alpha)
+
+* Mon Nov 23 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-4.el8
+- edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch [bz#1849177]
+- edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch [bz#1849177]
+- edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch [bz#1849177]
+- edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch [bz#1893806]
+- edk2-redhat-bump-OpenSSL-dist-git-submodule-to-1.1.1g-RHE.patch [bz#1893806]
+- Resolves: bz#1849177
+ (OVMF: negotiate "SMI on VCPU hotplug" with QEMU)
+- Resolves: bz#1893806
+ (attempt advancing RHEL8 edk2's OpenSSL submodule to RHEL8 OpenSSL 1.1.1g (or later))
+
+* Mon Aug 10 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-3.el8
+- edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch [bz#1861718]
+- Resolves: bz#1861718
+ (Very slow boot when overcommitting CPU)
+
+* Wed Jun 24 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-2.el8
+- edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch [bz#1844682]
+- edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch [bz#1844682]
+- edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch [bz#1844682]
+- Resolves: bz#1844682
+ (silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors)
+
+* Sat Jun 13 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-1.el8
+- Rebase to edk2-stable202005 [bz#1817035]
+- Resolves: bz#1817035
+ ((edk2-rebase-rhel-8.3) - rebase edk2 to upstream tag edk2-stable202005 for RHEL-8.3)
+
+* Fri Mar 27 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-9.el8
+- edk2-OvmfPkg-QemuVideoDxe-unbreak-secondary-vga-and-bochs.patch [bz#1806359]
+- Resolves: bz#1806359
+ (bochs-display cannot show graphic wihout driver attach)
+
+* Tue Feb 18 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-8.el8
+- edk2-MdeModulePkg-Enable-Disable-S3BootScript-dynamically.patch [bz#1801274]
+- edk2-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch [bz#1801274]
+- Resolves: bz#1801274
+ (CVE-2019-14563 edk2: numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib [rhel-8])
+
+* Tue Feb 11 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-7.el8
+- edk2-SecurityPkg-Fix-spelling-errors-PARTIAL-PICK.patch [bz#1751993]
+- edk2-SecurityPkg-DxeImageVerificationHandler-simplify-Ver.patch [bz#1751993]
+- edk2-SecurityPkg-DxeImageVerificationHandler-remove-else-.patch [bz#1751993]
+- edk2-SecurityPkg-DxeImageVerificationHandler-keep-PE-COFF.patch [bz#1751993]
+- edk2-SecurityPkg-DxeImageVerificationHandler-narrow-down-.patch [bz#1751993]
+- edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-o.patch [bz#1751993]
+- edk2-SecurityPkg-DxeImageVerificationHandler-remove-super.patch [bz#1751993]
+- edk2-SecurityPkg-DxeImageVerificationHandler-unnest-AddIm.patch [bz#1751993]
+- edk2-SecurityPkg-DxeImageVerificationHandler-eliminate-St.patch [bz#1751993]
+- edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-f.patch [bz#1751993]
+- edk2-SecurityPkg-DxeImageVerificationHandler-fix-imgexec-.patch [bz#1751993]
+- edk2-SecurityPkg-DxeImageVerificationHandler-fix-defer-vs.patch [bz#1751993]
+- Resolves: bz#1751993
+ (DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8])
+
+* Tue Jan 21 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-6.el8
+- edk2-UefiCpuPkg-PiSmmCpuDxeSmm-fix-2M-4K-page-splitting-r.patch [bz#1789335]
+- Resolves: bz#1789335
+ (VM with edk2 can't boot when setting memory with '-m 2001')
+
+* Thu Jan 16 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-5.el8
+- edk2-MdeModulePkg-UefiBootManagerLib-log-reserved-mem-all.patch [bz#1789797]
+- edk2-NetworkPkg-HttpDxe-fix-32-bit-truncation-in-HTTPS-do.patch [bz#1789797]
+- Resolves: bz#1789797
+ (Backport upstream patch series: "UefiBootManagerLib, HttpDxe: tweaks for large HTTP(S) downloads" to improve HTTP(S) Boot experience with large (4GiB+) files)
+
+* Wed Dec 11 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-4.el8
+- edk2-redhat-set-guest-RAM-size-to-768M-for-SB-varstore-te.patch [bz#1778301]
+- edk2-redhat-re-enable-Secure-Boot-varstore-template-verif.patch [bz#1778301]
+- Resolves: bz#1778301
+ (re-enable Secure Boot (varstore template) verification in %check)
+
+* Thu Dec 05 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-3.el8
+- Update used openssl version [bz#1616029]
+- Resolves: bz#1616029
+ (rebuild edk2 against the final RHEL-8.2.0 version of OpenSSL-1.1.1)
+
+* Mon Dec 02 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-2.el8
+- edk2-MdePkg-Include-Protocol-Tls.h-Add-the-data-type-of-E.patch [bz#1536624]
+- edk2-CryptoPkg-TlsLib-Add-the-new-API-TlsSetVerifyHost-CV.patch [bz#1536624]
+- edk2-CryptoPkg-Crt-turn-strchr-into-a-function-CVE-2019-1.patch [bz#1536624]
+- edk2-CryptoPkg-Crt-satisfy-inet_pton.c-dependencies-CVE-2.patch [bz#1536624]
+- edk2-CryptoPkg-Crt-import-inet_pton.c-CVE-2019-14553.patch [bz#1536624]
+- edk2-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch [bz#1536624]
+- edk2-NetworkPkg-TlsDxe-Add-the-support-of-host-validation.patch [bz#1536624]
+- edk2-NetworkPkg-HttpDxe-Set-the-HostName-for-the-verifica.patch [bz#1536624]
+- edk2-redhat-enable-HTTPS-Boot.patch [bz#1536624]
+- Resolves: bz#1536624
+ (HTTPS enablement in OVMF)
+
+* Fri Nov 29 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-1.el8
+- Rebase to edk2-stable201908 [bz#1748180]
+- Resolves: bz#1748180
+ ((edk2-rebase-rhel-8.2) - rebase edk2 to upstream tag edk2-stable201908 for RHEL-8.2)
+
+* Mon Aug 05 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190308git89910a39dcfd-6.el8
+- edk2-ArmVirtPkg-silence-DEBUG_VERBOSE-masking-0x00400000-.patch [bz#1714446]
+- edk2-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch [bz#1714446]
+- edk2-ArmPkg-DebugPeCoffExtraActionLib-debugger-commands-a.patch [bz#1714446]
+- Resolves: bz#1714446
+ (edk2-aarch64 silent build is not silent enough)
+
+* Tue Jul 02 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190308git89910a39dcfd-5.el8
+- edk2-redhat-add-D-TPM2_ENABLE-to-the-edk2-ovmf-build-flag.patch [bz#1693205]
+- Resolves: bz#1693205
+ (edk2: Enable TPM2 support)
+
+* Tue Jun 11 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190308git89910a39dcfd-4.el8
+- edk2-OvmfPkg-raise-the-PCIEXBAR-base-to-2816-MB-on-Q35.patch [bz#1666941]
+- edk2-OvmfPkg-PlatformPei-set-32-bit-UC-area-at-PciBase-Pc.patch [bz#1666941]
+- Resolves: bz#1666941
+ (UEFI guest cannot boot into os when setting some special memory size)
+
+* Tue Apr 09 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20190308git89910a39dcfd-2.el8
+- edk2-redhat-provide-firmware-descriptor-meta-files.patch [bz#1600230]
+- Resolves: bz#1600230
+ ([RHEL 8.1] RFE: provide firmware descriptor meta-files for the edk2-ovmf and edk2-aarch64 firmware images)
+
+* Mon Apr 08 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20190308git89910a39dcfd-1.el8
+- Rebase to edk2-20190308git89910a39dcfd
+
+* Mon Jan 21 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-9.el8
+- edk2-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch [bz#1662184]
+- edk2-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch [bz#1662184]
+- edk2-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch [bz#1662184]
+- edk2-git-Use-HTTPS-support.patch []
+- Resolves: bz#1662184
+ (backport fix for (theoretical?) regression introduced by earlier CVE fixes)
+
+* Wed Nov 21 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-8.el8
+- edk2-NetworkPkg-UefiPxeBcDxe-Add-EXCLUSIVE-attribute-when.patch [bz#1643377]
+- Resolves: bz#1643377
+ (Exception when grubx64.efi used for UEFI netboot)
+
+* Tue Nov 06 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-5.el8
+- edk2-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch [bz#1641436]
+- edk2-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch [bz#1641449 bz#1641453 bz#1641464 bz#1641469]
+- edk2-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch [bz#1641453 bz#1641464 bz#1641469]
+- edk2-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch [bz#1641445 bz#1641453 bz#1641464 bz#1641469]
+- Resolves: bz#1641436
+ (CVE-2018-3613 edk2: Logic error in MdeModulePkg in EDK II firmware allows for privilege escalation by authenticated users [rhel-8])
+- Resolves: bz#1641445
+ (CVE-2017-5731 edk2: Privilege escalation via processing of malformed files in TianoCompress.c [rhel-8])
+- Resolves: bz#1641449
+ (CVE-2017-5732 edk2: Privilege escalation via processing of malformed files in BaseUefiDecompressLib.c [rhel-8])
+- Resolves: bz#1641453
+ (CVE-2017-5733 edk2: Privilege escalation via heap-based buffer overflow in MakeTable() function [rhel-8])
+- Resolves: bz#1641464
+ (CVE-2017-5734 edk2: Privilege escalation via stack-based buffer overflow in MakeTable() function [rhel-8])
+- Resolves: bz#1641469
+ (CVE-2017-5735 edk2: Privilege escalation via heap-based buffer overflow in Decode() function [rhel-8])
+
+* Tue Sep 04 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-5.el8
+- edk2-BaseTools-footer.makefile-expand-BUILD_CFLAGS-last-f.patch [bz#1607906]
+- edk2-BaseTools-header.makefile-remove-c-from-BUILD_CFLAGS.patch [bz#1607906]
+- edk2-BaseTools-Source-C-split-O2-to-BUILD_OPTFLAGS.patch [bz#1607906]
+- edk2-BaseTools-Source-C-take-EXTRA_OPTFLAGS-from-the-call.patch [bz#1607906]
+- edk2-BaseTools-Source-C-take-EXTRA_LDFLAGS-from-the-calle.patch [bz#1607906]
+- edk2-BaseTools-VfrCompile-honor-EXTRA_LDFLAGS.patch [bz#1607906]
+- edk2-redhat-inject-the-RPM-compile-and-link-options-to-th.patch [bz#1607906]
+- Resolves: bz#1607906
+ (edk2-tools: Does not use RPM build flags)
+
+* Wed Aug 08 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-4.el8
+- edk2-redhat-provide-virtual-bundled-OpenSSL-in-edk2-ovmf-.patch [bz#1607801]
+- Resolves: bz#1607801
+ (add 'Provides: bundled(openssl) = 1.1.0h' to the spec file)
+
+* Tue Jul 24 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-3.el8
+- edk2-redhat-Provide-and-Obsolete-OVMF-and-AAVMF.patch [bz#1596148]
+- edk2-ArmVirtPkg-unify-HttpLib-resolutions-in-ArmVirt.dsc..patch [bz#1536627]
+- edk2-ArmVirtPkg-ArmVirtQemu-enable-the-IPv6-stack.patch [bz#1536627]
+- edk2-advertise-OpenSSL-due-to-IPv6-enablement-too-RHEL-on.patch [bz#1536627]
+- edk2-redhat-add-D-NETWORK_IP6_ENABLE-to-the-build-flags.patch [bz#1536627]
+- edk2-redhat-update-license-fields-and-files-in-the-spec-f.patch [bz#1536627]
+- Resolves: bz#1536627
+ (IPv6 enablement in OVMF)
+- Resolves: bz#1596148
+ (restore Provides/Obsoletes macros for OVMF and AAVMF, from RHEL-8 Alpha)
+
+* Tue Jul 10 2018 Danilo C. L. de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-2.el8
+- Rebase edk2 on top of 20180508gitee3198e672e2
+
+* Fri Jun 08 2018 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-2.gitee3198e672e2
+- OvmfPkg/PlatformBootManagerLib: connect consoles unconditionally [bz#1577546]
+- build OVMF varstore template with SB enabled / certs enrolled [bz#1561128]
+- connect Virtio RNG devices again [bz#1579518]
+- Resolves: bz#1577546
+ (no input consoles connected under certain circumstances)
+- Resolves: bz#1561128
+ (OVMF Secure boot enablement (enrollment of default keys))
+- Resolves: bz#1579518
+ (EFI_RNG_PROTOCOL no longer produced for virtio-rng)
+* Wed Dec 06 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-4.git92d07e48907f.el7
+- ovmf-MdeModulePkg-Core-Dxe-log-informative-memprotect-msg.patch [bz#1520485]
+- ovmf-MdeModulePkg-BdsDxe-fall-back-to-a-Boot-Manager-Menu.patch [bz#1515418]
+- Resolves: bz#1515418
+ (RFE: Provide diagnostics for failed boot)
+- Resolves: bz#1520485
+ (AAVMF: two new messages with silent build)
+
+* Fri Dec 01 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-3.git92d07e48907f.el7
+- ovmf-UefiCpuPkg-CpuDxe-Fix-multiple-entries-of-RT_CODE-in.patch [bz#1518308]
+- ovmf-MdeModulePkg-DxeCore-Filter-out-all-paging-capabilit.patch [bz#1518308]
+- ovmf-MdeModulePkg-Core-Merge-memory-map-after-filtering-p.patch [bz#1518308]
+- Resolves: bz#1518308
+ (UEFI memory map regression (runtime code entry splitting) introduced by c1cab54ce57c)
+
+* Mon Nov 27 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-2.git92d07e48907f.el7
+- ovmf-MdeModulePkg-Bds-Remove-assertion-in-BmCharToUint.patch [bz#1513632]
+- ovmf-MdeModulePkg-Bds-Check-variable-name-even-if-OptionN.patch [bz#1513632]
+- ovmf-MdeModulePkg-PciBus-Fix-bug-that-PCI-BUS-claims-too-.patch [bz#1514105]
+- ovmf-OvmfPkg-make-it-a-proper-BASE-library.patch [bz#1488247]
+- ovmf-OvmfPkg-create-a-separate-PlatformDebugLibIoPort-ins.patch [bz#1488247]
+- ovmf-OvmfPkg-save-on-I-O-port-accesses-when-the-debug-por.patch [bz#1488247]
+- ovmf-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch [bz#1488247]
+- ovmf-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-QemuVide.patch [bz#1488247]
+- ovmf-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch [bz#1488247]
+- ovmf-Revert-redhat-introduce-separate-silent-and-verbose-.patch [bz#1488247]
+- Resolves: bz#1488247
+ (make debug logging no-op unless a debug console is active)
+- Resolves: bz#1513632
+ ([RHEL-ALT 7.5] AAVMF fails to boot after setting BootNext)
+- Resolves: bz#1514105
+ (backport edk2 commit 6e3287442774 so that PciBusDxe not over-claim resources)
+
+* Wed Oct 18 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-1.git92d07e48907f.el7
+- Rebase to 92d07e48907f [bz#1469787]
+- Resolves: bz#1469787
+ ((ovmf-rebase-rhel-7.5) Rebase OVMF for RHEL-7.5)
+- Resolves: bz#1434740
+ (OvmfPkg/PciHotPlugInitDxe: don't reserve IO space when IO support is disabled)
+- Resolves: bz#1434747
+ ([Q35] code12 error when hotplug x710 device in win2016)
+- Resolves: bz#1447027
+ (Guest cannot boot with 240 or above vcpus when using ovmf)
+- Resolves: bz#1458192
+ ([Q35] recognize "usb-storage" devices in XHCI ports)
+- Resolves: bz#1468526
+ (>1TB RAM support)
+- Resolves: bz#1488247
+ (provide "OVMF_CODE.secboot.verbose.fd" for log capturing; silence "OVMF_CODE.secboot.fd")
+- Resolves: bz#1496170
+ (Inconsistent MOR control variables exposed by OVMF, breaks Windows Device Guard)
+
+* Fri May 12 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-5.gitc325e41585e3.el7
+- ovmf-OvmfPkg-EnrollDefaultKeys-update-SignatureOwner-GUID.patch [bz#1443351]
+- ovmf-OvmfPkg-EnrollDefaultKeys-expose-CertType-parameter-.patch [bz#1443351]
+- ovmf-OvmfPkg-EnrollDefaultKeys-blacklist-empty-file-in-db.patch [bz#1443351]
+- ovmf-OvmfPkg-introduce-the-FD_SIZE_IN_KB-macro-build-flag.patch [bz#1443351]
+- ovmf-OvmfPkg-OvmfPkg.fdf.inc-extract-VARS_LIVE_SIZE-and-V.patch [bz#1443351]
+- ovmf-OvmfPkg-introduce-4MB-flash-image-mainly-for-Windows.patch [bz#1443351]
+- ovmf-OvmfPkg-raise-max-variable-size-auth-non-auth-to-33K.patch [bz#1443351]
+- ovmf-OvmfPkg-PlatformPei-handle-non-power-of-two-spare-si.patch [bz#1443351]
+- ovmf-redhat-update-local-build-instructions-with-D-FD_SIZ.patch [bz#1443351]
+- ovmf-redhat-update-OVMF-build-commands-with-D-FD_SIZE_4MB.patch [bz#1443351]
+- Resolves: bz#1443351
+ ([svvp][ovmf] job "Secure Boot Logo Test" failed with q35&ovmf)
+
+* Fri Apr 28 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-4.gitc325e41585e3.el7
+- ovmf-ShellPkg-Shell-clean-up-bogus-member-types-in-SPLIT_.patch [bz#1442908]
+- ovmf-ShellPkg-Shell-eliminate-double-free-in-RunSplitComm.patch [bz#1442908]
+- Resolves: bz#1442908
+ (Guest hang when running a wrong command in Uefishell)
+
+* Tue Apr 04 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-3.gitc325e41585e3.el7
+- ovmf-ArmVirtPkg-FdtClientDxe-supplement-missing-EFIAPI-ca.patch [bz#1430262]
+- ovmf-ArmVirtPkg-ArmVirtPL031FdtClientLib-unconditionally-.patch [bz#1430262]
+- ovmf-MdeModulePkg-RamDiskDxe-fix-C-string-literal-catenat.patch [bz#1430262]
+- ovmf-EmbeddedPkg-introduce-EDKII-Platform-Has-ACPI-GUID.patch [bz#1430262]
+- ovmf-EmbeddedPkg-introduce-PlatformHasAcpiLib.patch [bz#1430262]
+- ovmf-EmbeddedPkg-introduce-EDKII-Platform-Has-Device-Tree.patch [bz#1430262]
+- ovmf-ArmVirtPkg-add-PlatformHasAcpiDtDxe.patch [bz#1430262]
+- ovmf-ArmVirtPkg-enable-AcpiTableDxe-and-EFI_ACPI_TABLE_PR.patch [bz#1430262]
+- ovmf-ArmVirtPkg-FdtClientDxe-install-DT-as-sysconfig-tabl.patch [bz#1430262]
+- ovmf-ArmVirtPkg-PlatformHasAcpiDtDxe-don-t-expose-DT-if-Q.patch [bz#1430262]
+- ovmf-ArmVirtPkg-remove-PURE_ACPI_BOOT_ENABLE-and-PcdPureA.patch [bz#1430262]
+- Resolves: bz#1430262
+ (AAVMF: forward QEMU's DT to the guest OS only if ACPI payload is unavailable)
+
+* Mon Mar 27 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-2.gitc325e41585e3.el7
+- ovmf-MdeModulePkg-Core-Dxe-downgrade-CodeSegmentCount-is-.patch [bz#1433428]
+- Resolves: bz#1433428
+ (AAVMF: Fix error message during ARM guest VM installation)
+
+* Wed Mar 08 2017 Laszlo Ersek <lersek@redhat.com> - ovmf-20170228-1.gitc325e41585e3.el7
+- Rebase to upstream c325e41585e3 [bz#1416919]
+- Resolves: bz#1373812
+ (guest boot from network even set 'boot order=1' for virtio disk with OVMF)
+- Resolves: bz#1380282
+ (Update OVMF to openssl-1.0.2k-hobbled)
+- Resolves: bz#1412313
+ (select broadcast SMI if available)
+- Resolves: bz#1416919
+ (Rebase OVMF for RHEL-7.4)
+- Resolves: bz#1426330
+ (disable libssl in CryptoPkg)
+
+* Mon Sep 12 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160608b-1.git988715a.el7
+- rework downstream-only commit dde83a75b566 "setup the tree for the secure
+ boot feature (RHEL only)", excluding patent-encumbered files from the
+ upstream OpenSSL 1.0.2g tarball [bz#1374710]
+- rework downstream-only commit dfc3ca1ee509 "CryptoPkg/OpensslLib: Upgrade
+ OpenSSL version to 1.0.2h", excluding patent-encumbered files from the
+ upstream OpenSSL 1.0.2h tarball [bz#1374710]
+
+* Thu Aug 04 2016 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20160608-3.git988715a.el7
+- ovmf-MdePkg-PCI-Add-missing-PCI-PCIE-definitions.patch [bz#1332408]
+- ovmf-ArmPlatformPkg-NorFlashDxe-accept-both-non-secure-an.patch [bz#1353494]
+- ovmf-ArmVirtPkg-ArmVirtQemu-switch-secure-boot-build-to-N.patch [bz#1353494]
+- ovmf-ArmPlatformPkg-NorFlashAuthenticatedDxe-remove-this-.patch [bz#1353494]
+- ovmf-ArmVirtPkg-add-FDF-definition-for-empty-varstore.patch [bz#1353494]
+- ovmf-redhat-package-the-varstore-template-produced-by-the.patch [bz#1353494]
+- ovmf-ArmVirtPkg-Re-add-the-Driver-Health-Manager.patch [bz#1353494]
+- ovmf-ArmVirtPkg-HighMemDxe-allow-patchable-PCD-for-PcdSys.patch [bz#1353494]
+- ovmf-ArmVirtPkg-ArmVirtQemuKernel-make-ACPI-support-AARCH.patch [bz#1353494]
+- ovmf-ArmVirtPkg-align-ArmVirtQemuKernel-with-ArmVirtQemu.patch [bz#1353494]
+- ovmf-ArmVirtPkg-ArmVirtQemu-factor-out-shared-FV.FvMain-d.patch [bz#1353494]
+- ovmf-ArmVirtPkg-factor-out-Rules-FDF-section.patch [bz#1353494]
+- ovmf-ArmVirtPkg-add-name-GUIDs-to-FvMain-instances.patch [bz#1353494]
+- ovmf-OvmfPkg-add-a-Name-GUID-to-each-Firmware-Volume.patch [bz#1353494]
+- ovmf-OvmfPkg-PlatformBootManagerLib-remove-stale-FvFile-b.patch [bz#1353494]
+- ovmf-MdePkg-IndustryStandard-introduce-EFI_PCI_CAPABILITY.patch [bz#1332408]
+- ovmf-MdeModulePkg-PciBusDxe-look-for-the-right-capability.patch [bz#1332408]
+- ovmf-MdeModulePkg-PciBusDxe-recognize-hotplug-capable-PCI.patch [bz#1332408]
+- ovmf-OvmfPkg-add-PciHotPlugInitDxe.patch [bz#1332408]
+- ovmf-ArmPkg-ArmGicLib-manage-GICv3-SPI-state-at-the-distr.patch [bz#1356655]
+- ovmf-ArmVirtPkg-PlatformBootManagerLib-remove-stale-FvFil.patch [bz#1353494]
+- ovmf-OvmfPkg-EnrollDefaultKeys-assign-Status-before-readi.patch [bz#1356913]
+- ovmf-OvmfPkg-EnrollDefaultKeys-silence-VS2015x86-warning-.patch [bz#1356913]
+- ovmf-CryptoPkg-update-openssl-to-ignore-RVCT-3079.patch [bz#1356184]
+- ovmf-CryptoPkg-Fix-typos-in-comments.patch [bz#1356184]
+- ovmf-CryptoPkg-BaseCryptLib-Avoid-passing-NULL-ptr-to-fun.patch [bz#1356184]
+- ovmf-CryptoPkg-BaseCryptLib-Init-the-content-of-struct-Ce.patch [bz#1356184]
+- ovmf-CryptoPkg-OpensslLib-Upgrade-OpenSSL-version-to-1.0..patch [bz#1356184]
+- Resolves: bz#1332408
+ (Q35 machine can not hot-plug scsi controller under switch)
+- Resolves: bz#1353494
+ ([OVMF] "EFI Internal Shell" should be removed from "Boot Manager")
+- Resolves: bz#1356184
+ (refresh embedded OpenSSL to 1.0.2h)
+- Resolves: bz#1356655
+ (AAVMF: stop accessing unmapped gicv3 registers)
+- Resolves: bz#1356913
+ (fix use-without-initialization in EnrollDefaultKeys.efi)
+
+* Tue Jul 12 2016 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20160608-2.git988715a.el7
+- ovmf-ArmPkg-ArmGicV3Dxe-configure-all-interrupts-as-non-s.patch [bz#1349407]
+- ovmf-ArmVirtPkg-PlatformBootManagerLib-Postpone-the-shell.patch [bz#1353689]
+- Resolves: bz#1349407
+ (AArch64: backport fix to run over gicv3 emulation)
+- Resolves: bz#1353689
+ (AAVMF: Drops to shell with uninitialized NVRAM file)
+
+* Thu Jun 9 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160608-1.git988715a.el7
+- Resolves: bz#1341733
+ (prevent SMM stack overflow in OVMF while enrolling certificates in "db")
+- Resolves: bz#1257882
+ (FEAT: support to boot from virtio 1.0 modern devices)
+- Resolves: bz#1333238
+ (Q35 machine can not boot up successfully with more than 3 virtio-scsi
+ storage controller under switch)
+- Resolves: bz#1330955
+ (VM can not be booted up from hard disk successfully when with a passthrough
+ USB stick)
+
+* Thu May 19 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160419-2.git90bb4c5.el7
+- Submit scratch builds from the exploded tree again to
+ supp-rhel-7.3-candidate, despite FatPkg being OSS at this point; see
+ bz#1329559.
+
+* Wed Apr 20 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160419-1.git90bb4c5.el7
+- FatPkg is under the 2-clause BSDL now; "ovmf" has become OSS
+- upgrade to openssl-1.0.2g
+- Resolves: bz#1323363
+ (remove "-D SECURE_BOOT_ENABLE" from AAVMF)
+- Resolves: bz#1257882
+ (FEAT: support to boot from virtio 1.0 modern devices)
+- Resolves: bz#1308678
+ (clearly separate SB-less, SMM-less OVMF binary from SB+SMM OVMF binary)
+
+* Fri Feb 19 2016 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20160202-2.gitd7c0dfa.el7
+- ovmf-restore-TianoCore-splash-logo-without-OpenSSL-advert.patch [bz#1308678]
+- ovmf-OvmfPkg-ArmVirtPkg-show-OpenSSL-less-logo-without-Se.patch [bz#1308678]
+- ovmf-OvmfPkg-simplify-VARIABLE_STORE_HEADER-generation.patch [bz#1308678]
+- ovmf-redhat-bring-back-OVMF_CODE.fd-but-without-SB-and-wi.patch [bz#1308678]
+- ovmf-redhat-rename-OVMF_CODE.smm.fd-to-OVMF_CODE.secboot..patch [bz#1308678]
+
+* Tue Feb 2 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160202-1.gitd7c0dfa.el7
+- rebase to upstream d7c0dfa
+- update OpenSSL to 1.0.2e (upstream)
+- update FatPkg to SVN r97 (upstream)
+- drive NVMe devices (upstream)
+- resize xterm on serial console mode change, when requested with
+ -fw_cfg name=opt/(ovmf|aavmf)/PcdResizeXterm,string=y
+ (downstream)
+- Resolves: bz#1259395
+ (revert / roll back AAVMF fix for BZ 1188054)
+- Resolves: bz#1202819
+ (OVMF: secure boot limitations)
+- Resolves: bz#1182495
+ (OVMF rejects iPXE oprom when Secure Boot is enabled)
+
+* Thu Nov 5 2015 Laszlo Ersek <lersek@redhat.com> - ovmf-20151104-1.gitb9ffeab.el7
+- rebase to upstream b9ffeab
+- Resolves: bz#1207554
+ ([AAVMF] AArch64: populate SMBIOS)
+- Resolves: bz#1270279
+ (AAVMF: output improvements)
+
+* Thu Jun 25 2015 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20150414-2.gitc9e5618.el7
+- ovmf-OvmfPkg-PlatformPei-set-SMBIOS-entry-point-version-d.patch [bz#1232876]
+- Resolves: bz#1232876
+ (OVMF should install a version 2.8 SMBIOS entry point)
+
+* Sat Apr 18 2015 Laszlo Ersek <lersek@redhat.com> - 20150414-1.gitc9e5618.el7
+- rebase from upstream 9ece15a to c9e5618
+- adapt .gitignore files
+- update to openssl-0.9.8zf
+- create Logo-OpenSSL.bmp rather than modifying Logo.bmp in-place
+- update to FatPkg SVN r93 (git 8ff136aa)
+- drop the following downstream-only patches (obviated by upstream
+ counterparts):
+ "tools_def.template: use forward slash with --add-gnu-debuglink (RHEL only)"
+ "tools_def.template: take GCC48 prefixes from environment (RHEL only)"
+ "OvmfPkg: set video resolution of text setup to 640x480 (RHEL only)"
+ "OvmfPkg: resolve OrderedCollectionLib with base red-black tree instance"
+ "OvmfPkg: AcpiPlatformDxe: actualize QemuLoader.h comments"
+ "OvmfPkg: AcpiPlatformDxe: remove current ACPI table loader"
+ "OvmfPkg: AcpiPlatformDxe: implement QEMU's full ACPI table loader interface"
+ "OvmfPkg: QemuVideoDxe: fix querying of QXL's drawable buffer size"
+ "OvmfPkg: disable stale fork of SecureBootConfigDxe"
+ "OvmfPkg: SecureBootConfigDxe: remove stale fork"
+ "Try to read key strike even when ..."
+ "OvmfPkg: BDS: remove dead call to PlatformBdsEnterFrontPage()"
+ "OvmfPkg: BDS: drop useless return statement"
+ "OvmfPkg: BDS: don't overwrite the BDS Front Page timeout"
+ "OvmfPkg: BDS: optimize second argument in PlatformBdsEnterFrontPage() call"
+ 'OvmfPkg: BDS: drop superfluous "connect first boot option" logic'
+ "OvmfPkg: BDS: drop custom boot timeout, revert to IntelFrameworkModulePkg's"
+ "Add comments to clarify mPubKeyStore buffer MemCopy. ..."
+ "MdeModulePkg/SecurityPkg Variable: Add boundary check..."
+ "OvmfPkg: AcpiPlatformDxe: make dependency on PCI enumeration explicit"
+ "MdePkg: UefiScsiLib: do not encode LUN in CDB for READ and WRITE"
+ "MdePkg: UefiScsiLib: do not encode LUN in CDB for other SCSI commands"
+- merge downstream AAVMF patch "adapt packaging to Arm64", which forces us to
+ rename the main package from "OVMF" to "ovmf"
+- drop the following ARM BDS specific tweaks (we'll only build the Intel BDS):
+ "ArmPlatformPkg/Bds: generate ESP Image boot option if user pref is unset
+ (Acadia)"
+ "ArmPlatformPkg/Bds: check for other defaults too if user pref is unset
+ (Acadia)"
+ "ArmPlatformPkg/ArmVirtualizationPkg: auto-detect boot path (Acadia)"
+ "ArmPlatformPkg/Bds: initialize ConIn/ConOut/ErrOut before connecting
+ terminals"
+ "ArmPlatformPkg/Bds: let FindCandidate() search all filesystems"
+ "ArmPlatformPkg/Bds: FindCandidateOnHandle(): log full device path"
+ "ArmPlatformPkg/Bds: fall back to Boot Menu when no default option was found"
+ "ArmPlatformPkg/Bds: always connect drivers before looking at boot options"
+- drop patch "ArmPlatformPkg/ArmVirtualizationPkg: enable DEBUG_VERBOSE (Acadia
+ only)", obsoleted by fixed bug 1197141
+- tweak patch "write up build instructions (for interactive, local development)
+ (RHELSA)". The defaults in "BaseTools/Conf/target.template", ie.
+ ACTIVE_PLATFORM and TARGET_ARCH, are set for OVMF / X64. The AAVMF build
+ instructions now spell out the necessary override options (-p and -a,
+ respectively).
+- extend patch "build FAT driver from source (RHELSA)" to the Xen build as well
+ (only for consistency; we don't build for Xen).
+- drop the following downstream-only AAVMF patches, due to the 77d5dac ->
+ c9e5618 AAVMF rebase & join:
+ "redhat/process-rh-specific.sh: fix check for hunk-less filtered patches"
+ "redhat/process-rh-specific.sh: suppress missing files in final 'rm'"
+ "ArmVirtualizationQemu: build UEFI shell from source (Acadia only)"
+ "MdePkg: UefiScsiLib: do not encode LUN in CDB for READ and WRITE"
+ "MdePkg: UefiScsiLib: do not encode LUN in CDB for other SCSI commands"
+ "ArmVirtualizationPkg: work around cache incoherence on KVM affecting DTB"
+ "Changed build target to supp-rhel-7.1-candidate"
+ "ArmVirtualizationPkg: VirtFdtDxe: forward FwCfg addresses from DTB to PCDs"
+ "ArmVirtualizationPkg: introduce QemuFwCfgLib instance for DXE drivers"
+ "ArmVirtualizationPkg: clone PlatformIntelBdsLib from ArmPlatformPkg"
+ "ArmVirtualizationPkg: PlatformIntelBdsLib: add basic policy"
+ "OvmfPkg: extract QemuBootOrderLib"
+ "OvmfPkg: QemuBootOrderLib: featurize PCI-like device path translation"
+ "OvmfPkg: introduce VIRTIO_MMIO_TRANSPORT_GUID"
+ "ArmVirtualizationPkg: VirtFdtDxe: use dedicated VIRTIO_MMIO_TRANSPORT_GUID"
+ "OvmfPkg: QemuBootOrderLib: widen ParseUnitAddressHexList() to UINT64"
+ "OvmfPkg: QemuBootOrderLib: OFW-to-UEFI translation for virtio-mmio"
+ "ArmVirtualizationPkg: PlatformIntelBdsLib: adhere to QEMU's boot order"
+ "ArmVirtualizationPkg: identify "new shell" as builtin shell for Intel BDS"
+ "ArmVirtualizationPkg: Intel BDS: load EFI-stubbed Linux kernel from fw_cfg"
+ 'Revert "ArmVirtualizationPkg: work around cache incoherence on KVM affecting
+ DTB"'
+ "OvmfPkg: QemuBootOrderLib: expose QEMU's "-boot menu=on[, splash-time=N]""
+ "OvmfPkg: PlatformBdsLib: get front page timeout from QEMU"
+ "ArmVirtualizationPkg: PlatformIntelBdsLib: get front page timeout from QEMU"
+ "ArmPkg: ArmArchTimerLib: clean up comments"
+ "ArmPkg: ArmArchTimerLib: use edk2-conformant (UINT64 * UINT32) / UINT32"
+ "ArmPkg: ArmArchTimerLib: conditionally rebase to actual timer frequency"
+ "ArmVirtualizationQemu: ask the hardware for the timer frequency"
+ "ArmPkg: DebugPeCoffExtraActionLib: debugger commands are not errors"
+ "ArmPlatformPkg: PEIM startup is not an error"
+ "ArmVirtualizationPkg: PlatformIntelBdsLib: lack of QEMU kernel is no error"
+ "ArmVirtualizationPkg: expose debug message bitmask on build command line"
+- tweak patch "rebase to upstream 77d5dac (Acadia only)": update spec changelog
+ only
+- tweak patch "spec: build AAVMF with the Intel BDS driver (RHELSA only)":
+ apply "-D INTEL_BDS" to manual build instructions in redhat/README too
+- tweak patch "spec: build and install verbose and silent (default) AAVMF
+ binaries": apply DEBUG_PRINT_ERROR_LEVEL setting to interactive build
+ instructions in redhat/README too
+- install OVMF whitepaper as part of the OVMF build's documentation
+- Resolves: bz#1211337
+ (merge AAVMF into OVMF)
+- Resolves: bz#1206523
+ ([AAVMF] fix missing cache maintenance)
+
+* Fri Mar 06 2015 Miroslav Rezanina <mrezanin@redhat.com> - AAVMF-20141113-5.git77d5dac.el7_1
+- aavmf-ArmPkg-DebugPeCoffExtraActionLib-debugger-commands-a.patch [bz#1197141]
+- aavmf-ArmPlatformPkg-PEIM-startup-is-not-an-error.patch [bz#1197141]
+- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-lack-of-QEM.patch [bz#1197141]
+- aavmf-ArmVirtualizationPkg-expose-debug-message-bitmask-on.patch [bz#1197141]
+- aavmf-spec-build-and-install-verbose-and-silent-default-AA.patch [bz#1197141]
+- Resolves: bz#1197141
+ (create silent & verbose builds)
+
+* Tue Feb 10 2015 Miroslav Rezanina <mrezanin@redhat.com> - AAVMF-20141113-4.git77d5dac.el7
+- aavmf-ArmPkg-ArmArchTimerLib-clean-up-comments.patch [bz#1188247]
+- aavmf-ArmPkg-ArmArchTimerLib-use-edk2-conformant-UINT64-UI.patch [bz#1188247]
+- aavmf-ArmPkg-ArmArchTimerLib-conditionally-rebase-to-actua.patch [bz#1188247]
+- aavmf-ArmVirtualizationQemu-ask-the-hardware-for-the-timer.patch [bz#1188247]
+- aavmf-ArmPkg-TimerDxe-smack-down-spurious-timer-interrupt-.patch [bz#1188054]
+- Resolves: bz#1188054
+ (guest reboot (asked from within AAVMF) regressed in 3.19.0-0.rc5.58.aa7a host kernel)
+- Resolves: bz#1188247
+ (backport "fix gBS->Stall()" series)
+
+* Mon Jan 19 2015 Miroslav Rezanina <mrezanin@redhat.com> - AAVMF-20141113-3.git77d5dac.el7
+- aavmf-OvmfPkg-QemuBootOrderLib-expose-QEMU-s-boot-menu-on-.patch [bz#1172756]
+- aavmf-OvmfPkg-PlatformBdsLib-get-front-page-timeout-from-Q.patch [bz#1172756]
+- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-get-front-p.patch [bz#1172756]
+- Resolves: bz#1172756
+ ([RFE]Expose boot-menu shortcut to domain via AAVMF)
+
+* Wed Jan 14 2015 Miroslav Rezanina <mrezanin@redhat.com> - AAVMF-20141113-2.git77d5dac.el7
+- aavmf-ArmVirtualizationPkg-VirtFdtDxe-forward-FwCfg-addres.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-introduce-QemuFwCfgLib-instance.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-clone-PlatformIntelBdsLib-from-.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-add-basic-p.patch [bz#1172749]
+- aavmf-OvmfPkg-extract-QemuBootOrderLib.patch [bz#1172749]
+- aavmf-OvmfPkg-QemuBootOrderLib-featurize-PCI-like-device-p.patch [bz#1172749]
+- aavmf-OvmfPkg-introduce-VIRTIO_MMIO_TRANSPORT_GUID.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-VirtFdtDxe-use-dedicated-VIRTIO.patch [bz#1172749]
+- aavmf-OvmfPkg-QemuBootOrderLib-widen-ParseUnitAddressHexLi.patch [bz#1172749]
+- aavmf-OvmfPkg-QemuBootOrderLib-OFW-to-UEFI-translation-for.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-adhere-to-Q.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-identify-new-shell-as-builtin-s.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-Intel-BDS-load-EFI-stubbed-Linu.patch [bz#1172749]
+- aavmf-spec-build-AAVMF-with-the-Intel-BDS-driver-RHELSA-on.patch [bz#1172749]
+- aavmf-Revert-ArmVirtualizationPkg-work-around-cache-incohe.patch [bz#1172910]
+- Resolves: bz#1172749
+ (implement fw_cfg, boot order handling, and -kernel booting in ArmVirtualizationQemu)
+- Resolves: bz#1172910
+ (revert Acadia-only workaround (commit df7bca4e) once Acadia host kernel (KVM) is fixed)
+
+* Fri Dec 05 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-7.git9ece15a.el7
+- ovmf-MdePkg-UefiScsiLib-do-not-encode-LUN-in-CDB-for-READ.patch [bz#1166971]
+- ovmf-MdePkg-UefiScsiLib-do-not-encode-LUN-in-CDB-for-othe.patch [bz#1166971]
+- Resolves: bz#1166971
+ (virtio-scsi disks and cd-roms with nonzero LUN are rejected with errors)
+
+* Tue Nov 25 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-6.git9ece15a.el7
+- ovmf-OvmfPkg-AcpiPlatformDxe-make-dependency-on-PCI-enume.patch [bz#1166027]
+- Resolves: bz#1166027
+ (backport "OvmfPkg: AcpiPlatformDxe: make dependency on PCI enumeration explicit")
+
+* Tue Nov 18 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-4.git9ece15a.el7
+- ovmf-Add-comments-to-clarify-mPubKeyStore-buffer-MemCopy.patch [bz#1162314]
+- ovmf-MdeModulePkg-SecurityPkg-Variable-Add-boundary-check.patch [bz#1162314]
+- Resolves: bz#1162314
+ (EMBARGOED OVMF: uefi: INTEL-TA-201410-001 && INTEL-TA-201410-002 [rhel-7.1])
+
+* Thu Nov 13 2014 Laszlo Ersek <lersek@redhat.com> - AAVMF-20141113-1.git77d5dac
+- rebased to upstream 77d5dac
+ <https://bugzilla.redhat.com/show_bug.cgi?id=1162314#c1>
+- patch "ArmVirtualizationPkg: FdtPL011SerialPortLib: support UEFI_APPLICATION"
+ is now upstream (SVN r16219, git edb5073)
+
+* Thu Nov 13 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-3.git9ece15a.el7
+- ovmf-Revert-OvmfPkg-set-video-resolution-of-text-setup-to.patch [bz#1153927]
+- ovmf-Try-to-read-key-strike-even-when-the-TimeOuts-value-.patch [bz#1153927]
+- ovmf-OvmfPkg-BDS-remove-dead-call-to-PlatformBdsEnterFron.patch [bz#1153927]
+- ovmf-OvmfPkg-BDS-drop-useless-return-statement.patch [bz#1153927]
+- ovmf-OvmfPkg-BDS-don-t-overwrite-the-BDS-Front-Page-timeo.patch [bz#1153927]
+- ovmf-OvmfPkg-BDS-optimize-second-argument-in-PlatformBdsE.patch [bz#1153927]
+- ovmf-OvmfPkg-BDS-drop-superfluous-connect-first-boot-opti.patch [bz#1153927]
+- ovmf-OvmfPkg-BDS-drop-custom-boot-timeout-revert-to-Intel.patch [bz#1153927]
+- ovmf-OvmfPkg-set-video-resolution-of-text-setup-to-640x48.patch [bz#1153927]
+- Resolves: bz#1153927
+ (set NEXTBOOT to uefi setting failed from Windows Recovery console)
+
+* Tue Nov 11 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-2.git9ece15a
+- ovmf-redhat-process-rh-specific.sh-suppress-missing-files.patch [bz#1145784]
+- ovmf-Revert-RH-only-OvmfPkg-QemuVideoDxe-fix-querying-of-.patch [bz#1145784]
+- ovmf-Revert-RH-only-OvmfPkg-AcpiPlatformDxe-implement-QEM.patch [bz#1145784]
+- ovmf-Revert-RH-only-OvmfPkg-AcpiPlatformDxe-remove-curren.patch [bz#1145784]
+- ovmf-Revert-RH-only-OvmfPkg-AcpiPlatformDxe-actualize-Qem.patch [bz#1145784]
+- ovmf-Revert-RH-only-OvmfPkg-resolve-OrderedCollectionLib-.patch [bz#1145784]
+- ovmf-OvmfPkg-QemuVideoDxe-work-around-misreported-QXL-fra.patch [bz#1145784]
+- ovmf-OvmfPkg-resolve-OrderedCollectionLib-with-base-red-b.patch [bz#1145784]
+- ovmf-OvmfPkg-AcpiPlatformDxe-actualize-QemuLoader.h-comme.patch [bz#1145784]
+- ovmf-OvmfPkg-AcpiPlatformDxe-remove-current-ACPI-table-lo.patch [bz#1145784]
+- ovmf-OvmfPkg-AcpiPlatformDxe-implement-QEMU-s-full-ACPI-t.patch [bz#1145784]
+- ovmf-spec-build-small-bootable-ISO-with-standalone-UEFI-s.patch [bz#1147592]
+- ovmf-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch [bz#1147592]
+- ovmf-spec-exclude-the-UEFI-shell-from-the-SecureBoot-enab.patch [bz#1147592]
+- ovmf-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch [bz#1148296]
+- ovmf-spec-package-EnrollDefaultKeys.efi-on-UefiShell.iso-.patch [bz#1148296]
+- ovmf-OvmfPkg-disable-stale-fork-of-SecureBootConfigDxe.patch [bz#1148294]
+- ovmf-OvmfPkg-SecureBootConfigDxe-remove-stale-fork.patch [bz#1148294]
+- Resolves: bz#1145784
+ (OVMF sync with QXL and ACPI patches up to edk2 7a9612ce)
+- Resolves: bz#1147592
+ (the binary RPM should include a small ISO file with a directly bootable UEFI shell binary)
+- Resolves: bz#1148294
+ (drop OvmfPkg's stale fork of SecureBootConfigDxe)
+- Resolves: bz#1148296
+ (provide a non-interactive way to auto-enroll important SecureBoot certificates)
+
+* Wed Oct 15 2014 Laszlo Ersek <lersek@redhat.com> - AAVMF-20141015-1.gitc373687
+- ported packaging to aarch64 / AAVMF
+
+* Fri Aug 22 2014 Laszlo Ersek <lersek@redhat.com> - 20140822-1.git9ece15a.el7
+- rebase from upstream 3facc08 to 9ece15a
+- update to openssl-0.9.8zb
+- update to FatPkg SVN r86 (git 2355ea2c)
+- the following patches of Paolo Bonzini have been merged in upstream; drop the
+ downstream-only copies:
+ 7bc1421 edksetup.sh: Look for BuildEnv under EDK_TOOLS_PATH
+ d549344 edksetup.sh: Ensure that WORKSPACE points to the top of an edk2
+ checkout
+ 1c023eb BuildEnv: remove useless check before setting $WORKSPACE
+- include the following patches that have been pending review on the upstream
+ list for a long time:
+ [PATCH 0/4] OvmfPkg: complete client for QEMU's ACPI loader interface
+ http://thread.gmane.org/gmane.comp.bios.tianocore.devel/8369
+ [PATCH] OvmfPkg: QemuVideoDxe: fix querying of QXL's drawable buffer size
+ http://thread.gmane.org/gmane.comp.bios.tianocore.devel/8515
+- nasm is a build-time dependency now because upstream BuildTools has started
+ to call it directly
+
+* Wed Jul 23 2014 Laszlo Ersek <lersek@redhat.com> - 20140723-1.git3facc08.el7
+- rebase from upstream a618eaa to 3facc08
+- update to openssl-0.9.8za
+- drop downstream-only split varstore patch, rely on upstream's
+
+* Tue Jun 24 2014 Miroslav Rezanina <mrezanin@redhat.com> - 20140619-1.gita618eaa.el7
+- Initial version